Adobe will this week issue an out-of-band patch for Flash after spotting a critical flaw that is now being "actively exploited" in the wild.
The flaw, CVE-2016-1019, affects Flash Player version 126.96.36.1996 and older for Windows, OS X, Linux, and Chrome OS. Adobe made the jump to patch after learning that users of Windows 7 and Windows XP are being actively targeted by malware writers exploiting the flaw. It hopes to have the fix out by April 7 or as soon as possible afterwards.
If you're running a version of Flash later than 188.8.131.52, then a mitigation for the attack is already in place in the plugin. Full details can be found here.
"Adobe would like to thank Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc), as well as Clement Lecigne of Google for reporting CVE-2016-1019," the Photoshop giant said in today's advisory.
No doubt Flash users are getting used to the patching business: on Adobe's Patch Tuesday every month, but also with regular out-of-band patches. As one of the most-used third-party browser tools (for the moment at least), Flash remains very popular with the verminous end of the coding business.
It's Adobe's blessing and its curse that it invented Reader and acquired Flash – two immensely popular bits of code that then proved the perfect conduit to get around browser security. All is not lost for Flash, but it might be time to dump it and save the energy. ®