Security firms and research groups warned on Monday that attackers are using a previously unknown flaw in Adobe Acrobat and Reader to level attacks against a limited number of targets.

The vulnerability, which occurs in a Javascript function in Adobe Acrobat and Reader, allows an attacker to invisibly run a program on the affected computer, if the victim opens a portable document file (PDF) containing exploit code. Adobe alerted users on Monday about the vulnerability but has not yet released a patch for the issue.

Other security researchers warned of the seriousness of the flaw.

"We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue," Steven Adair, a member of the ShadowServer Foundation, a malicious-code research group, wrote in a blog post. "This is legit and is very bad."

The exploit has been in the wild since at least Friday, December 11, Adair stated.

Vulnerabilities in Adobe's Acrobat, Reader and Flash product are serious issues because the software is used on nearly every system connected to the Internet. The software company patched seven serious vulnerabilities in its Flash player earlier this month in its regularly scheduled update.

The ShadowServer Foundation recommended that Adobe users turn off Javascript in the program's preferences. Security firm Symantec, the owner of SecurityFocus, advised users to follow safe computing practices.

"Until a patch become available, users can keep themselves safe by following best practices, such as not opening attachment from people you don't know," said Ben Greenbaum, a senior research manager with Symantec Security Response.

If you have tips or insights on this topic, please contact SecurityFocus.