Kill Flash: Adobe says patch to fix under-attack hole still days away

Just a day after its monthly batch of security updates, Adobe has confirmed it will issue an emergency critical patch for Flash next week.

With somewhat regrettable timing, given Adobe's patching cycle, Trend Micro's security researchers announced on Tuesday that it had discovered in the plugin a vulnerability, CVE-2015-7645, and that it was being used by hackers who were targeting officials in governments in NATO.

On Wednesday, Adobe acknowledged that the programming blunder affects all known versions of Flash Player for Windows and Mac systems – including the Extended Support Release, as well as Flash Player 11.2.202.535 and earlier 11.x versions for Linux.

The software hole can cause a targeted system to crash at best, and at worst to allow remote-code execution, allowing miscreants to hijack PCs. Malicious Flash files leveraging the bug to install malware have been sent in emails from a spoofed Outlook address claiming to contain details of terrorist attacks or political news.

How to patch flash 0-day: 1) Uninstall flash 2) You don't need flash 3) Stop installing flash

— MalwareTech (@MalwareTechBlog) October 13, 2015

Adobe rates the flaw as critical, says it is working on a patch, will have one out some time after Sunday. In the meantime, there is no workaround, so El Reg suggests – as it has in the past – removing Flash altogether or at least enabling click-to-play in your browser so you only run Flash files you can trust. ®