It may be time to disable Flash Player: a patch to fix a critical flaw in the latest version of the software won't be available for several days.
Adobe this week confirmed that the critical flaw affects the latest version of Flash Player on all platforms. However, while there are credible reports that the browser plugin is under attack, a fix isn't due until at least after the weekend. In an advisory published on Thursday, Adobe said a fix will be released "during the week of January 26".
"A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 188.8.131.527 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in the advisory.
"We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below," it added.
Adobe hasn't yet provided details about the vulnerability that was exploited; however. is likely to provide details once the fix is released.
Security researcher Kafeine reported on Wednesday that an up-and-coming threat known as the Angler exploit kit contained an attack that successfully compromised multiple versions of Windows with the latest version of Flash Player enabled in Internet Explorer 6 through to 11, as well as Flash in Firefox, but not Chrome.
The particular exploit kit analysed was distributing ad fraud malware, but could also be used to install other malicious components also.
Until yesterday, the latest version of Flash for Windows and Mac was 184.108.40.2067. However, Adobe also released an unscheduled fix for Flash Player addressing another recently-discovered flaw (CVE-2015-0310), which was also known to be under attack.
This flaw also affected all platforms and brought the latest version for Windows and Mac up to 220.127.116.117, addressing "a vulnerability that could be used to circumvent memory randomization mitigations on the Windows platform."
While there haven't been reports of attacks on Flash Player on Linux machines, it too is vulnerable.
According to Adobe, affected versions of Flash Player include 18.104.22.1687 and earlier versions for Windows and Macintosh; 22.214.171.1242 and earlier 13.x versions; and 126.96.36.1998 and earlier versions for Linux.
Read more on this story