We have all heard about how Adobe's Acrobat Reader and Flash browser plug-ins are vulnerable to exploits. But did you know that the actual file format specification for all PDFs is also a vector for attack?

The ISO standard for PDFs (ISO PDF 32000-1:2008) details the functionality that is present in the file format and outlines the launch command. This launch specification can allow malicious coders to imbed scripted commands that can infect even a clean PDF. There is no need to exploit javascript or another zero-day exploit. As the code executes in the PDF the user will be presented with a dialog box asking if he or she wants to run the code. A clever attacker can design the dialog to entice the user into thinking they need to click this. This is a proven technique used by many "scare-ware" vendors. They fool the user into thinking they are infected with a virus and by clicking on a button it will clean it off for them.
Both Adobe and Foxit are working ways to correct the issue or at least provide additional user warnings about the danger of opening unknown PDFs.