Adobe has released an emergency patch to fix a zero-day vulnerability actively being exploited in the wild.
Users of Windows, Mac, Linux and Chrome operating systems are affected by the security flaw, which "could cause a crash and potentially allow an attacker to take control of the affected system," according to Adobe.
The zero-day flaw is a type confusion vulnerability, but it does have limitations.
The exploit works against Adobe Flash versions 220.127.116.116 and earlier, but will only cause a crash rather than full system compromise with Flash versions 18.104.22.168 and 22.214.171.124 thanks to mitigation processes added by Adobe in these more recent versions.
Microsoft Windows is being specifically targeted and cyberattackers are particularly interested in exploiting the Windows 10 operating system and earlier through this vulnerability.
Adobe has now readied the emergency patch and has advised users to update immediately.
According to researchers from Trend Micro, active attacks have been observed leveraging this vulnerability through the Magnitude exploit kit in drive-by attacks.
This particular kit is linked to the Locky ransomware, malware which locks infected systems and demands payment in return for a decryption key which unlocks system files and content.
This malware was reportedly used recently in attacks against the Methodist Hospital based in Kentucky, United States.
Researchers at FireEye said:
"This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications -- such as Internet Explorer/Edge and Flash Player -- change the game.
Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach."
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?