The document works equally well with fully-patched versions of Adobe Reader on Windows or Mac OS X. It doesn't affect other PDF readers, such as Foxit or Mac OS X's Preview. Testers also noted that if the test document is launched from the desktop, it warns the user before opening the link, while if launched from the Web there's no warning. "Both Adobe 6 and 7 did not warn me before launching these URLs," Kierznowski wrote.

The second attack uses Adobe's Adobe Database Connectivity (ADBC) and Web Services support, accessing the Windows ODBC, enumerating available databases and then sending the information to "localhost" via the Web service. The test is found here (http://michaeldaw.org/projects/backdoored2.pdf).

Kierznowski said that because of the nature of the attack, using legitimate features, it was likely that similar exploits were likely to be possible using Adobe Reader's support for HTML forms, file system access and other features. "I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together," he wrote.

He noted it was possible to backdoor all Acrobat files by loading a JavaScript file into Acrobat's JavaScripts directory. Adobe said it has no immediate plans to alter its products' JavaScript handling, but said it is aware of the research and is "actively investigating" the issue.

Just today, Adobe released Acrobat 8 and integrated it with its upgraded Creative Suite 2.3 Premium. The company said Acrobat 8 Professional will be available for Windows and Macintosh, with Acrobat 8 Standard for Windows, from November, in English, French, German, and Japanese.