Adobe confirmed reports of serious flaws in its popular .pdf viewer Thursday and urged users to upgrade to the latest version without delay.

"Adobe is aware of the recent cross-site scripting vulnerability in versions 7.0.8 and earlier of Adobe Reader and Adobe Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session," the vendor said in an emailed statement. "This is not a vulnerability in .pdf. Specifically, this issue could occur when a user clicks on a malicious link to a .pdf on the Web."

While the latest version fixes the flaws, Adobe said it would also release patches next week for the older, vulnerable versions.

Security experts have expressed alarm over the flaws, discovered by vulnerability researchers Stefano Di Paola and Giorgio Fedon. They warned that attackers could easily exploit the vulnerabilities to launch cross-site scripting attacks and do a variety of damage. Experts are particularly concerned because Adobe Reader is used by a huge segment of the computing population.

According to the researchers' analysis, the trouble is in how Adobe tells the browser to handle .pdf files. Firefox and Internet Explorer are particularly vulnerable.

The flaws affect Adobe Reader 6.0.1 for Windows via Internet Explorer 6 and version 7.0.8 for Windows via Firefox 2.0.0.1. Other versions may also be affected, warned Danish vulnerability clearinghouse Secunia. Though Adobe has fixed the security holes in version 8.0.0, experts worry that many users will be slow to upgrade, leaving themselves open to an easy attack. Adobe sought to raise awareness with its advisory yesterday.

Regardless of the latest flaws, Adobe said users should always be cautious when clicking on links from unknown or even trusted sources.

Cupertino, Calif.-based antivirus giant Symantec Corp. stressed the significance of the flaws in its blog this week. The vendor said that:

* The ease in which they can be exploited is "breathtaking." Use of the feature in question requires no exploitation of vulnerabilities on the server side.

* Any Web site that hosts a .pdf file can be used to conduct an attack. "All the attacker has to do is find out who is hosting a .pdf file on their Web server and then piggy back on it to mount an attack," the Cupertino, Calif.-based vendor said. "What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

* Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.

The link for this article located at Search Security.com is no longer available.