'We know full well that using our software puts you at risk, but we have a schedule to keep thankyouverymuch. In the meantime, just cross your fingers. Oh and we won't be advertising or warning anyone about the problem.'
This is and always has been the first change I make to reader's configuraton and doing so has thwarted several drive-by attempts over the past few years. PDFs almost never contain useful javascript - and i'm being generous in adding "almost".
There have been so many security issues with read over the years that I just don't even bother installing it anymore. I just use google's pdf reading abilities.
Why does a document reader need javascript support in the first place? If the document is that complex it more then like should have been made into flash, silverlight, or HTML.
I'm still waiting for them to fix the cross domain execution that is allowing flash based ads to infect PCs with vundo strains.