Software firm Adobe has rushed out a patch for a critical flaw in Flash Player, which Google's security researchers have discovered is being used to attack Windows.
The bug, a use-after-free memory issue, was reported by members of Google's Threat Analysis Group.
"These updates address a critical vulnerability that could potentially allow an attacker to take control of the affected system," Adobe said.
Adobe has been told that an exploit for the bug is in the wild and is also being used to hack some users running Windows 7, Windows 8.1, and Windows 10.
It doesn't describe the profile of targets, but they're likely to be high value since the exploit is only being used in "limited, targeted" attacks. The bug has been tagged CVE-2016-7855.
If you've installed Adobe's bug-prone Flash Player on a Windows or Mac desktop, you should update 220.127.116.11.
If you're only using the Flash Player plugin within Chrome, Internet Explorer 11 or Edge, the patch will be delivered in browser updates by Google and Microsoft, respectively. Linux users with Flash Player installed need to update to version 18.104.22.1683.
While the attacks are limited at present, Microsoft recommends users always ensure Flash Player has the latest patches because of its prevalence in malicious code planted on websites.
According to Microsoft, Flash Player "objects" were used in 99.2 percent of all web-based malware it detected in the fourth quarter of 2015, up from 93 percent in the first quarter.
Java used to be the go-to tool for hackers, but as Microsoft, Google, and Mozilla dropped support for it in their respective browsers, hackers turned to Flash, which is still supported by major platforms.
Microsoft, Mozilla, and Google have outlined plans to phase out Flash Player in favor of HTML5, but efforts to shield it from exploits until that happens have proven difficult.
In 2015 Google's hackers at Project Zero and Microsoft researchers helped Adobe harden Flash Player against certain classes of attacks found in several Flash Player zero-day exploits that year.
These were implemented by Adobe in mid-2015. However, within six months an advanced hacking group known as Darkhotel figured out how bypass some of the new defenses, leading to a new round of Flash zero-day exploits in December.