Multiple security vulnerabilities in the Adobe Reader may allow remote unprivileged users to execute arbitrary code. This includes a cross-site scripting (XSS) vulnerability that may allow a remote unprivileged user to inject arbitrary JavaScript into a browser session.

Note: Adobe Reader is the free viewing companion to Adobe Acrobat. Adobe Reader allows you to view, navigate, and print Portable Document Format (PDF) files.

These issues have been described in the following documents:

• APSB07-01 at: http://www.adobe.com/support/security/bulletins/apsb07-01.html  
• CVE-2006-5857 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5857
• CVE-2007-0045 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0045
• CVE-2007-0046 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0046

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 121104-02

Note 1: Solaris 8 and Solaris 9 are not affected by this issue. Solaris 10 x86 platform is also not affected.

Note 2: All versions of Adobe Reader and Acrobat up to and including version 7.0.8 are affected by these issues. Solaris 10 ships Acrobat Reader 7.0.

To determine the version of Adobe Reader installed on the system the following command can be run:

    $ /usr/bin/acroread -version
    7.0.1

There are no predictable symptoms that would indicate the described issues have been exploited.

To work around the described issues, do not load PDF files from untrusted sources.

To work around the cross site scripting vulnerability, disable JavaScript in the browser application. This can done in Mozilla as follows:

1. Open the Preferences dialog from the Edit menu
2. Select the Advanced tree
3. Select the Scripts & Plug-ins leaf
4. Uncheck the Navigator check box
5. Click the OK button

This issue is addressed in the following release:

SPARC Platform

• Solaris 10 with patch 121104-02 or later

• State: Resolved
• Updated Contributing Factors and Resolution sections

This solution has no attachment