The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe's ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said.

According to an advisory Adobe published Wednesday night, the "protected view" feature prevents the current attacks from working—but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK. There's also a way for administrators to enable protected view on Windows machines across their organization.

The revelation is significant because it means users aren't protected when using the default version of the widely used document reader. The limitation came to light following the discovery of in-the-wild attacks against current versions of Reader, which are being exploited to surreptitiously install malware on end-user computers. The exploit is also noteworthy because its intricate code base bypasses several additional protections added just four months ago with the goal thwarting malware attacks.

According to technical analysis also published Wednesday night by researchers from security firm FireEye, the exploit generates attack code that's customized for different versions of the program. It uses a technique known as return oriented programming to bypass mitigations known as data execution prevention and address space layout randomization. It also floods the app's export table with fake entries pointing to invalid memory locations to throw off sandbox analysis reports.

It's the first known malware attack to successfully pierce the security sandbox that Adobe engineers added to default versions of Reader more than two years ago. Sadly, as sophisticated as the exploit is, Adobe engineers could have prevented it from succeeding against default configurations of Reader XI had they enabled protected view. Instead, they chose to turn that feature off by default, so the only way users can avail themselves of its benefits is to delve deep into the application settings and manually enable it.

It's unclear why protected view isn't turned on by default. If I had to guess, I'd bet engineers decided convenience should trump security. That's because protected view provides a highly restricted environment that disables most other features, which is something I'm guessing Adobe marketers weren't willing to enable by default. (An Adobe spokeswoman didn't respond to my questions asking why the feature isn't enabled automatically.)

Those who want to protect themselves from PDF exploits have one of two options. One is to use an alternative app such as the Foxit Reader. With the exception of the reader that Google includes with its Chrome browser, these alternative programs are probably line-for-line as buggy as Adobe's app. But since they have orders of magnitude fewer users, they're much less likely to be targeted by the kinds of attacks uncovered by FireEye.

The other option for Windows and Mac users is to install Reader XI and enable protected view using the steps outlined in the second paragraph of this article.

It's disappointing that Adobe took the time to design a feature that can protect its users but didn't turn it on by default. I can't help comparing the move to a car manufacturer that installs airbags in one of its models, but then requires customers to flip a switch before the bags actually inflate during a high-impact crash. Security mitigations are great, but only if they're easily used by the masses.