The new year hasn't been a pleasant one for Adobe: the Silicon Valley firm has scrambled to close yet more serious security holes in its Flash player.
Last week the Photoshop biz rushed out a patch for a critical flaw in Flash that miscreants were exploiting in the wild to hijack victims' computers.
Today, a new update has been pushed out to deal with two critical flaws: CVE-2015-0311 and CVE-2015-0312. The former was discovered by French malware researcher Kafeine, and the latter by someone called Bilou who contacted the Chromium team.
The vulnerability reported by Kafeine allows hackers to inject malicious code into a running machine – for example, it could be used with the Angler exploit kit to drop a Trojan onto a Windows system. Adobe said computers running Windows 8.1 or earlier are at risk.
Indeed, Adobe has evidence that CVE-2015-0311 is being exploited in the wild by hackers to attack Internet Explorer and Firefox browsers: a victim just has to surf to a website serving dodgy Flash files that leverage the plugin's security flaw to compromise the machine.
Users of Google Chrome are protected against the flaw by the browser's sandbox tech.
The Angler exploitation kit was one of the most widely used hacking tools last year, according to Cisco security researchers, who labelled the kit "one to watch."
The Flash patch has been pushed out as an automatic update, and you can find a build to install by hand here. Given that at least one of the flaws is being exploited right now, it's a good idea to get patching as soon as possible.
Meanwhile, Google's YouTube now defaults to HTML5 <video> rather than Adobe Flash to stream stuff. YouTube shifts more than six billion hours of video to viewers a month, according to the site. ®