Adobe Acrobat Reader vulnerable.

The Shadowserver Foundation is reporting a zero-day attack on current versions of Adobe Acrobat Reader.

They describe the attack as limited in nature, probably in use as a targeted attack. But as they say, it's a safe assumption that before too long the exploit of Acrobat Reader will be in every exploit pack and widely abused. They have tested it in Acrobat Reader, not the full Acrobat product, but assume it will work there as well.

Shadowserver's recommended mitigation is a reasonable idea: disable JavaScript in the Acrobat client. Here's how:
Inside Acrobat, click: Edit -> Preferences -> JavaScript and uncheck the box Enable Acrobat JavaScript

[Update: Adobe is now acknowledging the problem. They say they are working on it and will have a solution "by March 11th, 2009." Reader and the full Acrobat product are vulnerable they say, in versions 7, 8 and 9, and updates for all will be provided. In the meantime they are working with anti-malware vendors to help them detect exploits of the vulnerability.]