The next day, Wednesday, Belgian security researcher Didier Stevens said he also had crafted an exploit that triggers the bug without requiring JavaScript, and backed up his claim by publicly posting proof-of-concept attack code. His exploit works in the background, and doesn't require that a user actually open a malformed PDF file.

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability...just like it would when you would explicitly open the document," .

Adobe has acknowledged that its advice to disable JavaScript wouldn't be a panacea. In an interview last week, Brad Arkin, Adobe's director for product security and privacy, admitted that only the forthcoming patch would completely protect users. "Disabling JavaScript does not provide a full mitigation," Arkin said. "It protects against one form of attack. To the best of our understanding, there's no product configuration that can completely mitigate the threat."

Arkin also defended Adobe's patching pace, which has come under fire as being too sluggish. "We were contacted by one of our partners on Jan. 16 when they shared an exploit that they had found in the wild," he said. "That kicked off our investigation and we began working on a fix immediately."

Adobe plans to patch Reader and Acrobat 9 next week, and will follow that with fixes for Versions 7 and 8 of both applications on March 18. "We're doing everything we can, and we intend [meet] to those deadlines," said Arkin.