[ For background and a timeline on how *not* to handle incident response, HD Moore's blog post is a great start. ]
Adobe's response simply confirms what we already know and reiterates that turning off JavaScript will NOT eliminate the risk entirely. However, the company does not offer any definitive suggestions or workarounds, instead pointing to a list of anti-malware vendors blocking known attacks.
Here's what we have from Adobe:
While this information is better than the silence we've gotten from Adobe since the attacks became public, it falls well short of providing the protection information that businesses and end users need when in-the-wild malware attacks are occuring.
The company did not offer any details on the actual vulnerability. It did not provide workarounds. It did not provide mitigation guidance. Adobe simply rehashed what we already knew and confirmed that the public mitigation guidance from third parties is/was not definitive.
As my former ZDNet Zero Day blog colleague Nate McFeters points out, the issue is much worse than first imagined.
According to this Secunia's Carsten Eiram, his company managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users, who may think they are safe because JavaScript support has been disabled.
If Secunia can do it based on information that's public, what's to stop malicious hackers with major financial motivation?
So what now Adobe?