Adobe has been forced to slate a new out-of-band security update after reports that a critical Flash Player vulnerability is being exploited in the wild on Windows 7 and XP systems.
CVE-2016-1019 exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS.
According to Adobe, a successful exploit could cause a crash and allow an attacker to take control of the affected system.
The Flash-maker said it is planning an update to fix the bug as soon as 7 April.
In the meantime, it advised the following:
“A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later. Adobe recommends users of Adobe Flash Player, who have not already done so, immediately update to the current version of Flash Player via the update mechanism within the product or by visiting the Adobe Flash Player Download Center. If you use multiple browsers, install the update in each browser you have installed on your system.”
The critical bug was found by Google’s Clement Lecigne, FireEye’s Genwei Jiang and Proofpoint’s ‘Kafeine.’
It’s no secret that Flash has become a favorite target for hackers, especially for exploitation in exploit kits (EKs) such as Angler.
In fact, it’s so popular among exploit kit-makers that F-Secure is predicting that if support for Flash is eventually phased out by browsers it could even signal the end for EKs.
F-Secure’s security adviser, Sean Sullivan branded it “the last ‘best’ plugin still standing for exploit kits to target.”
Last month, Adobe was forced to issue a patch for Flash Player fixing 23 vulnerabilities, including one remote code execution bug – CVE-2016-1010 – being actively exploited in the wild.
Google announced recently it would follow Amazon by effectively banning Flash-based ads in Chrome, and the software is famously not supported on iOS, or other major mobile platforms.