According to preliminary reports, the Microsoft Internet Explorer vulnerability has already been used in targeted attacks against 34 major firms. And, says BitDefender, at the moment, Microsoft has released an advisory, but there is no patch available for this vulnerability.
As a result, BitDefender has pushed an emergency update to users of its security products that intercepts and blocks the malicious code before it adversely impacts on the target system.
The Adobe flaw was initially discovered on December 14 and although the vendor issued a patch on January 12, BitDefender says that the vulnerability is still being exploited in the wild.
Also known as CVE-2010-0249, the Internet Explorer zero-day exploit takes advantage of a memory corruption vulnerability affecting all versions of the popular browser software, except for Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4.
Under specific conditions, BitDefender reports that Internet Explorer can be tricked into allowing remote code execution by accessing an invalid pointer after an object is deleted.
Although all versions of Internet Explorer are vulnerable, the firm says that risks are lower for IE8 users, as it comes with DEP (data execution prevention) enabled by default.
On the Adobe Reader front, meanwhile, BitDefender says that the vulnerability – known as CVE-2009-4324 – affects Adobe Reader and Acrobat 9.2 plus earlier versions.
Successful exploitation, says the firm, could cause crashes and allow a remote party to execute arbitrary code on the victim's computer, as well as to carry out cross-site scripting attacks.
In order to stay safe, BitDefender recommends that Adobe and Internet Explorer users download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection – and to exercise extreme caution when prompted to open files from unfamiliar locations.