Last week’s cyber attacks, that targeted Google and several other large U.S. companies, has certainly gotten Microsoft’s attention. The attack was orchestrated, in part, through a zero-day flaw in Internet Explorer (IE). The flaw seems to be obscure, and restricted to IE 6 and IE 7, but that hasn’t stopped Microsoft from releasing an out-of-cycle patch for IE.

Microsoft has acknowledgde the flaw, and says the “vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

Microsoft, in an announcement posted today, says the confusion surrounding this particular attack has compelled Microsoft to act now. Microsoft’s primary advice: upgrade to IE 8, which is not affected by this flaw. If you don’t plan to upgrade, then updates for earlier versions will be made available, with specific timing of the updates to be announced tomorrow. In the meantime, Microsoft suggests using the workarounds and mitigations provided in Security Advisory 979352.

Image Credit: Microsoft

Internet Explorer users who have yet to upgrade to IE8 should take note. According to security firm Symantec, there's a pretty nasty Zero Day exploit that affects both IE6 and IE7.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future," Symantec explained in a blog post. "When this happens, attackers will have the abilty to insert the exploit in websites infecting potential visitors."

Symantec said the attack requires JavaScript and recommends that users disable it. The security firm also suggested potentially affected users limit web surfing to only trusted sites until Microsoft releases a fix.

Image Credit: cybernetnews.com

If it seems like Adobe's Acrobat Reader is constantly under attack, well, that's because there's some truth to it. The latest threat comes in the form of another zero-day bug being exploited in targeted attacks, Adobe said.

Not a whole lot of information has been made available on the newest threat, though according to an advisory from VUPEN Security, the vulnerability in question is an unspecified memory corruption error that occurs when users open a specially crafted PDF file. VUPEN says the bug can be exploited remotely.

"Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly update, scheduled for release on October 13," blogged David Lenoe of the Adobe Product Security Incident Response Team. "Adobe Reader and Acrobat 9.1.3 customers with DEP (Data Execution Prevention) enabled on Windows Vista will be protected from this exploit."

In the meantime, Johannes Ullrich, a researcher with the SANS Institute, says users can avoid the potential threat by first converting PDFs into another format, like Postscript, and then back into PDF form. At the same time, Ullrich warns this isn't 100 percent certain to remove the exploit and could actually infect the machine mucking around with the file. Fantastic.

Anyone else using Foxit Software's super-lean freebie PDF reader, Foxit Reader?