- Global object | This object is "used to store data that is persistent across invocations of Acrobat or shared by multiple documents"; it's easy to see where this could go wrong very quickly. The global object is subscription-based; meaning, a document must subscribe to the functionality, but we've seen many instances where a global object in other languages simply becomes abused through some exploit in the security mechanism...
- SOAP object | This object "provides support for rich text responses and queries, HTTP authentication and WS-Security, SOAP headers, error handling, sending or converting file attachments, exchanging compressed binary data, document literal encoding, object serialization, XML streams, and applying DNS service discovery to find collaborative repositories on an intranet"... while the intentions are good, one can certainly find interesting things to do here, especially utilizing the "exchanging compressed binary data" feature
- Priviliged context | According to Adobe's reference, once you explicitly state your trust for a document's signing certificate, that PDF file can then do "priviliged things" which otherwise would be disallowed. Seriously, how hard is it to fool even an educated user to trust a digital certificate?
 TheRegister Article - April 28th, 2009
 Adobe PSIRT Blog - April 28th, 2009