If you’re running Adobe Flash on your Windows, Mac, Linux or Chrome OS computer you’re potentially at risk.
Adobe has issued a security advisory, warning of an as-yet unpatched critical security hole in its popular Flash player software that is reported to being actively exploited by criminals in the wild.
No detailed information about the zero-day exploit (known as CVE-2016-4117) has yet been released. However, I don’t think anyone would be surprised if we heard that the unpatched vulnerability was being exploited in malvertising campaigns or watering hole attacks, perhaps in co-ordination with something like the notorious Angler Exploit Kit.
No doubt we will learn more about the nature of the attacks in the coming days, as Adobe says that it hopes to release a security update for the software this week (most likely it will arrive later today).
For now all we know are the curt details shared by Adobe in its advisory:
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Obviously it makes sense to run a layered defence on your computer systems, which includes keeping your anti-virus and other software updated.
But more than that, you may wish to take this opportunity to consider your relationship with Adobe Flash – which has been troubled with flaws and malicious attacks many times over the years.
Even if you’re not ready to completely uninstall Flash, you may wish to consider enabling “Click to Play” in your browser to reduce your attack surface.