My company has discovered separate, critical zero-day exploits in two of the most heavily used applications in the world: Microsoft’s Internet Explorer and Adobe Reader.

According to preliminary reports, the Internet Explorer vulnerability has already been used in targeted attacks against 34 major corporations including Google and Adobe. At the moment, Microsoft has released an advisory, but there is no patch available for this vulnerability.

The Adobe flaw was initially discovered on December 14 and although the vendor pushed a patch on January 12 the vulnerability is still being exploited in the wild.

Internet Explorer Threat Details:

Also known as CVE-2010-0249, the Internet Explorer zero-day exploit takes advantage of a memory corruption vulnerability affecting all versions of Internet explorer except for Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4.

In order to successfully attack a target, the remote party needs to create a malicious Web page containing the exploit, a flaw in Internet Explorer’s handling of specific DOM operations. In order to lure users into visiting the compromised resource, the attacker may use e-mail spam, social networking spam or any other means of mass distribution available.

As soon as the document gets processed, the malicious code injected into it would run in the context of the current user and would likely compromise the system. If the exploit fails, then the attack would trigger a denial-of-service condition.

Under specific conditions, Internet Explorer can be tricked into allowing remote code execution by accessing an invalid pointer after an object is deleted. Although all versions of Internet Explorer are vulnerable (Including IE8 on Windows 7), risks are lower for IE8 users, as it comes with DEP (data execution prevention) enabled by default.

Adobe Reader Threat Details:

Officially known as CVE-2009-4324, the vulnerability affects Adobe Reader and Acrobat 9.2 and earlier versions. Successful exploitation could cause crashes and allow a remote party to execute arbitrary code on the victim’s computer, as well as to carry out cross-site scripting attacks.

The vulnerability exploits an error in the implementation of the “Doc.media.newPlayer()” JavaScript method, that is likely to corrupt memory when a specially crafted PDF file is run.

In order to stay safe, I recommend that you download, install and update a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection and to exercise extreme caution when prompted to open files from unfamiliar locations.