Adobe's moves come amid considerable industry concern over the seriousness of a vulnerability in an Adobe Reader feature called Open Parameters, which allows for additional commands to be sent to the program when opening a PDF file. The feature allows users "to open a PDF file using a URL or a command that specifies both the file to be opened, plus actions to be performed once the file is opened," according to an Adobe description.

But Adobe's apparent failure to properly validate the kind of actions that can be performed once the file is opened gives attackers a way to run malicious JavaScript on a user's browser, according to security analysts.

One example is that of an attacker creating a hostile Web site with a link to PDF file on a bank's Web site, said Ken Dunham, director of VeriSign Inc.'s iDefense rapid response team in Reston, Va. The link could contain malicious commands that are executed when it is clicked and the PDF file is opened in a browser, he said.

"Instead of clicking on a link to get a PDF file, you get more than you bargained for -- execution of hidden JavaScript statements" in a user's browser, Dunham said. The malicious JavaScript could be used to steal cookies, session keys and Web browsing data, he said.

Since the scripts would appear to be running in the context of the Web sites from which the PDFs are loaded, victims are unlikely to suspect or detect suspicious activity, said Billy Hoffman, lead research engineer at SPI Dynamics in Atlanta.