Adobe is developing a patch for a critical vulnerability in Flash, which the company says is being actively used by attackers on computers running Windows XP and Windows 7. The patch will be available on Thursday.
Adobe states that the vulnerability is cve-2016-1019, which was discovered with the help of several security researchers. Among them are employees of Google and FireEye, along with the researcher Kafeine, who maintains the blog “Malware don’t need Coffee” among other things. The critical vulnerability is present in Flash Player version 126.96.36.199 and earlier, but Adobe states that a mitigation has been introduced in Flash Player version 188.8.131.52, keeping users of that version and above safe.
The vulnerability allows an attacker to cause a crash and possibly also take control of a vulnerable system. The vulnerability exists on Windows, OS X, Linux, and Chrome OS, but is only actively used on older versions of Windows running version 184.108.40.2066 of the Adobe software. It is recommended to update to the latest version as soon as possible. Users can check their Flash version on any Adobe page.
French researcher Kafeine told Threatpost that he would not disclose the vulnerability until the patch was made available by Adobe. The Flash Player software regularly receives critical security updates and other patches, for example, the update that Adobe released at the end of last year closed 78 vulnerabilities.