Adobe is advising folks to update Flash Player – as malware is right now exploiting a newly discovered hole in the internet's screen door to hijack Windows PCs.
The emergency patch addresses a single vulnerability, CVE-2016-7855. The use-after-free() programming blunder allows an attacker to achieve remote code execution when the user views a specially crafted Flash media file.
The vulnerability was discovered and reported to Adobe by Neel Mehta and Billy Leonard from the Google Threat Analysis Group, but a patch could not be released before attackers were able to get exploits working in the wild.
Adobe says it is aware of attacks currently targeting Windows machines (Windows 7 and later) for malware infection.
Users and administrators of machines running Flash Player on Windows, macOS, and Linux are being advised to update their software as soon as possible to avoid further attacks.
Those using Google's Chrome browser will get the update automatically, and those using Microsoft Edge and more recent versions of Internet Explorer (IE 11 and later) will get the fix directly from Microsoft.
For all other users, the patched version of Flash Player on Windows and OS X/macOS is 126.96.36.199. For Linux, the patched version is 188.8.131.523.
The update comes just two weeks after Adobe issued a scheduled update for Flash Player that addressed 12 different CVE-listed security flaws for the popular browser plug-in.
This latest exploit will only further underscore the arguments from the security community to get rid of the bug-prone Flash Player in favor of the newer, more secure HTML5 standard for multimedia web content.
While web publishers have largely begun migrating to HTML5 apps from Flash, browser developers such as the Mozilla Firefox team have gone a step further and begun placing tighter constraints on how Flash files can be run within their browser windows.
Mozilla says that by next year, Firefox will block all Flash content by default, allowing only content that users expressly choose to run. ®