Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007.

The vulnerability in Adobe Reader and an associated browser plug-in was first publicized Wednesday by security firms, which said the bug could let hackers misuse trusted Adobe PDF (Portable Document Format) files as carriers of malicious JavaScript code.

Adobe, which had earlier promised to patch the vulnerable versions of Reader, posted a security advisory late Thursday with details of the bug. "A cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat 7.0.8 could allow remote attackers to inject arbitrary JavaScript into a browser session," the advisory read. It did not divulge a specific day next week for its patch release, and recommended that users update to version 8 of Reader or Acrobat if possible.

"For users who cannot upgrade to Reader 8, the Secure Software Engineering team is working with the Adobe Reader Engineering team on a 7.0.9 update to versions 7.0.8 and earlier of Adobe Reader and Acrobat that will resolve this issue, which is expected to be available in the next week," the advisory said. The patches will come none to soon for some security researchers. While Adobe itself tagged the XSS bug as "important" and Danish vulnerability tracker Secunia has labeled it as "moderately critical," others are say that the flaw is much more dangerous than first thought.

"At first I didn't think that this was that bad, since just about every site is vulnerable [to cross-site scripting] anyway. It was interesting, that's all," says Jeremiah Grossman, the chief technology officer of WhiteHat Security. "But a hacker named 'RSnake' has shown that it's possible to set up a malicious URL that points to a default PDF file location on the local system. When that happens, the attacker is granted access to all local files, at least with read access."

Although it's not yet clear if an attacker would have write access -- necessary to introduce other code remotely to, for example, plant on-disk spyware or hijack the computer with a bot -- just the possibility is scary. "We've not been able to verify [write access]," says Grossman. "People are still learning about this; it's only been a couple of days."

An attack would be simple to execute, Grossman says. All a criminal has to do is locate a PDF on a public Web site, craft a link to the PDF that includes appended JavaScript code, then get a user to click on that link, probably by duping users with spammed e-mail or instant messages. "Any place where a user is likely to see and click [the link]," says Grossman. Once the link's clicked, the JavaScript executes, and the attacker can move on to any traditional XSS malfeasance, such as capturing keystrokes, stealing browser histories, and masking fraudster phishing sites.

"The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF," Grossman says. "This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006."

The XSS exploits against Reader and Acrobat work only in specific combinations of browsers and Adobe software, but even that was up in the air Friday. Adobe has yet to finish its testing, and while Symantec laid out claims Thursday, a rival security vendor contested the findings.

"The data provided by Symantec doesn't match up with multiple in-depth tests performed with our labs," says Ken Dunham, director of VeriSign iDefense's rapid response team. "IE 6.x is not vulnerable with Adobe Acrobat 7.x and up," Dunham says. "We ran confirmation against last night just to make sure."

iDefense's testing said that all versions of IE 6.x running Reader/Acrobat 6.0.1 and earlier were at risk, as were the Windows versions of Firefox 1.5.0.8 and 2.0.0.1 when running Reader/Acrobat 7.0.8 and earlier. Also vulnerable: Opera 9.x running Reader/Acrobat 7.0.8.

WhiteHat's Grossman acknowledged that testing was in flux, and that some vendors were getting conflicting results.

More important than the browser-Adobe combinations that are, or aren't, at risk, however, is the sure bet that cross-site scripting vulnerabilities will be big in 2007.

"They're going to be the attack of 2007. We may be sick of hearing about cross-site scripting, but it's just getting started," Grossman said.

When Adobe posts patches for the 7.0.8 and earlier line of Reader and Acrobat next week, they will appear on the company's support Web site. Version 8 of Reader, which is immune to the XSS bug, can be downloaded free-of-charge from here.