[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post is a great start. ]
Here's what we have from Adobe:
While this information is better than the silence we've gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring.
The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.
As my former ZDNet Zero Day blog colleague Nate McFeters points out, the issue is much worse than first imagined.
If Secunia can do it based on information that's public, what's to stop malicious hackers with major financial motivation?
So what now Adobe?