According to Websense, the vulnerability is in a CoolType routine that fails to check that a supposedly null-terminated string really is. This can be used in a malicious PDF document to cause a stack overflow, which would cause the application to crash or execute arbitrary code.
While CoolType has been compiled with the /GS and /SAFESEH parameters to block straightforward methods of manipulating the return address to execute the payload, the icucnv.dll library also used by Acrobat and Reader does not take advantage of address space layout randomisation (ASLR). This allows an attacker to write code using a technique called return oriented programming to get around the defences.
Microsoft has pointed out that EMET 2.0 (the latest version of Microsoft's Enhanced Mitigation Experience Toolkit) can be used to force ASLR for software that isn't inherently ASLR-aware.
However, this only works on Windows 7, Vista and Server 2008. EMET's export address table access filtering mitigation also works to protect against the Acrobat/Reader exploit on XP and Server 2003 by detecting attempts to access Kernel32.dll's export address table.
Microsoft and Adobe both warn that the testing of the functional compatibility of this mitigation has been limited and that they "recommend that you also test the mitigation in your environment to minimise any impact on your workflows."
The original exploit reportedly runs code to download other malware from a remote site that has now been shut down.
Adobe still has not announced a timetable for the release of an update to fix the underlying vulnerability.