OK, can someone explain this in layman's terms?

Does this mean I shouldn't have links inside PDF files, or shouldn't link TO PDF files on my server? Can I allow people to UPLOAD PDF files?

What are they talking about here?

From what I understood, the risk is simply having a PDF file on your server. The miscreant will craft a link to your PDF, and try to get people to click the link. If successful, the users machine is compromised. Your PDF was simply an innocent bystander, however, someone could be upset that you were used, and possibly even take fault with you.

It doesn't appear that as webmasters we can do anything, except remove PDF files from our sites. That's not really a viable option. Some users will upgrade Adobe, most probably won't. This is a case where educating the web public is important, because they are they only ones that can prevent this particular problem going forward. Perhaps Adobe could possibly create some mechanism that will force its users to upgrade.

That's so absurd. The recommendation is not to put any PDF files on the server?

Is this the end of the public internet as we know it?

There's a whole lot of confusing information and recommendations about this problem. As I understand it (and I'm not sure I fully understand all the implications of this issue), the problem is uniquely with the Acrobat plugin lower than version 8. The exploits can use PDF files stored on a public webserver (ie. your or my site) and append a

#

followed by Javascript. I don't believe it is an XSS problem which can affect the security of the sites itself. As the

#

and whatever follows it is not transmitted to the server (it's a client-side in-page link usually), you can't use mod_rewrite to avoid your PDF files being (ab)used.

I suppose it would be possible to mitigate the problem by declaring the MIME type for PDF files as

application/octet-stream

or similar, but that brings its own disadvantages. The only real solution is to get users to update to the new version of the plugin.

The recommendation is not to put any PDF files on the server?

I didn't exactly see that recommendation, and I'm sure Adobe would prefer their users to upgrade. Realistically, what percentage of users will upgrade? I don't think 100% can be expected. And, without an upgrade, that recommendation is about your only recourse, if you don't want to be a part of the problem. It isn't the end of the public internet, but it certainly signals a shift.

But surely any attempt would require bypassing a firewall, either on a server, or on client machine?

Has anyone got any idea if the Pro versions of Acrobat are affected?

Otherwise, is this simply a question of updating to the latest version of the Reader?

I don't believe it is an XSS problem which can affect the security of the sites itself.

That's my understanding of the matter. From what I can tell, *any* existent PDF file on a webserver can be used to launch the attack, but only on the victim's PC, not the server itself or future visitors who request the PDF under normal circumstances. As such, I don't see a compelling reason for website owners to remove PDF files, provided there's a good reason for them to be there in the first place. After all, my PC's security is ultimately my responsibility.

This is what scares me much more:

Key to increased access is where hostile links point. When the issue was first discovered, experts warned of links with malicious JavaScript to PDF files hosted on Web sites. While risky, this actually limits the attacker's access to a PC. It has now been discovered that those limits can be removed by directing a malicious link to a PDF file on a victim's PC . . . PDFs are abundant on the Net and finding one on a local system also isn't hard, a sample PDF file comes with Acrobat Reader and is installed in a predictable location on PCs, Grossman said.

The Big Question:
Would it work to simply disable viewing PDF files in the browser and download them instead? If the file is opened without the malicious link appended to it (which it wouldn't be if downloaded first and opened locally) then I would think harmless PDF files would remain harmless.

Well, according to Secuna (I hope it's OK to post this snippet);

The vulnerabilities are confirmed in Adobe Reader version 6.0.1 for Windows via Internet Explorer 6 and version 7.0.8 for Windows via Firefox 2.0.0.1. The following products are reportedly affected as well:
* Adobe Acrobat 3D
* Adobe Acrobat Standard, Professional, and Elements version 7.0.8 and prior
* other Adobe Reader versions prior to 7.0.8

Which is a bit vague, but seems to imply that this only affects the pugin an only when the the PDF is loaded within certain Windows browsers.

I still don't completely see the connection with Acrobat 3D and the paid for versions though. Are they just talking about the plugins that these install?