The vulnerability was initially referenced in the news thread (McAfee spots Adobe Reader PDF-tracking flaw) last Monday. The post at the McAfee Labs Blog provides some additional details.
Tracking PDF Usage Poses a Security Problem
Friday, April 26, 2013 by Haifei Li
Update on May 2
Adobe has confirmed this vulnerability and has scheduled a patch release for May 14.
Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest "sandboxed" Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened.
The danger is that if the second parameter is provided with a special value, it changes the API's behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.
Continued here: http://blogs.mcafee.com/mcafee-labs/tracking-pdf-usage-poses-a-security-problem
From the Adobe Product Security Incident Response Team (PSIRT) Blog:
Created: May 02, 2013
Adobe is aware of reports of a low severity information leakage issue described in a recent advisory. A user's IP address and timestamp could be exposed when opening a specially crafted PDF and then clicking a URL within the document.
This issue will be resolved in the next scheduled releases (May 14) of Adobe Reader and Acrobat.