"All the infrastructure is in place," Boodaei said, citing the networks of hacked sites that criminals use to launch drive-by attacks, which typically try multiple exploits or attack vectors, in order to infect as many victims as possible. "This is just another vulnerability they can use," he said.

Adobe has acknowledged the bug, but has not yet committed to producing a patch to stymie attacks. However, the company has urged users to change Reader's and Acrobat's settings to disable the /Launch function.

In a blog post Tuesday, Adobe Reader group product manager Steve Gottwals recommended that consumers by unchecking a box marked "Allow opening of non-PDF file attachments with external applications" in the programs' preferences panes. By default, Reader and Acrobat have the box checked, meaning that the behavior Stevens exploited is allowed.

Gottwals also showed how IT administrators can force users' copies of Reader and Acrobat into the unchecked state by pushing a change to Windows' registry.

On Thursday, another Adobe executive said Adobe is considering several options to plug the hole, among them an update to Reader and Acrobat that would change the default state of the setting to off. "We're still evaluating," said Brad Arkin, Adobe's director for product security and privacy in an interview yesterday. "The biggest thing is to make sure that any changes we do don't impact all the ways that people use the software today."