To protect themselves from zero day attacks, users need to kill JavaScript in Adobe’s Reader and Acrobat tools, according to security experts.

Shadowserver, a volunteer-run group that tracks vulnerabilities urged users to switch off JavaScript. “We have said it before and we will say it again: Disable JavaScript. This vulnerability is actually in a JavaScript function within Adobe Acrobat and Reader. The vulnerable JavaScript is obfuscated inside a ‘zlib’ stream making universal detection and intrusion detection signatures much more difficult.”

The advice seems to be at time, as a bug researcher and exploit maker HD Moore confirmed that an exploit would be published to the open-source Metasploit penetration testing framework within a day or two. Moore, the creator of Metasploit and Chief Security Officer for security company Rapid7, echoed Shadowserver’s advice. “Disabling JavaScript does prevent the vulnerable code from being called,” said Moore in an e-mail to Computerworld.

To kill JavaScript in Adobe Reader or Acrobat on Windows, users need to select Preferences from the Edit menu, choose “JavaScript,” then uncheck the “Enable Acrobat JavaScript” option. On the Mac, Preferences is under the “Adobe Reader” or “Adobe Acrobat” menus.

Killing JavaScript is the only defense against attacks until Adobe solves the problem. It is likely to take a month before that happens. Adobe’s next regularly-scheduled security updates for Reader/Acrobat are likely to launch on January 12, 2010.

If we believe on Moore’s preliminary work, attack code will go public long before then. “It is a little tricky to make reliable, but we are on track and should have a Metasploit update ready within a day or two at the latest,” said Moore said, referring to the probable release of an exploit module for the testing framework.