The exploits now in circulation can break out of the Protected Mode sandbox -- the first documented bypass of Adobe's technology -- but will be stymied if Protected View is enabled in Reader 11.
But as several security experts have pointed out, Protected View is not turned on by default in Reader 11.
Traditionally, Adobe has played it conservative with security features, either leaving them off by default or declining to immediately roll them out to users. It took the latter path in 2010 with Reader 10's Protected Mode.
On Sunday, Adobe explained why it didn't turn on Reader 11's Protected View, essentially saying it opted to favor businesses -- which rely on more advanced features of Reader and its for-a-fee Acrobat cousin -- over consumers, who typically use the software only to view PDFs.
"We weighed the risk/benefit to customers with the impact on customers and their existing workflows," said Adobe spokeswoman Heather Edell in an email reply to questions. "Adobe Reader Protected View will allow only one single function, which is to view a PDF document. Turning Adobe Reader Protected View on by default would break existing workflows customers rely on and result in unexpected impact on a very significant number of users."
Edell did say that Protected View may be toggled on by default in the future. She did not commit to a timetable, however.
Windows users can turn on Protected View by opening Reader 11, selecting "Preferences" from the Edit menu, clicking the "Security (Enhanced)" item in the column on the left, then near the top of the ensuing dialog clicking "Files from potentially unsafe locations" or "All files" under the "Protected View" heading.
But customers running OS X are out of luck: Reader for Apple's operating system lacks any sandboxing. Until Adobe patches Reader, Mac owners can protect themselves by viewing PDFs in OS X's Preview application rather than Adobe Reader.
To make this change, users can right-click on any PDF document, select "Get Info" from the pop-up menu, choose "Preview" in the "Open with" field, and finally, click the "Change All" button.
The last time Adobe rushed out an emergency update to patch a Reader zero-day vulnerability was in December 2011.