Adobe has rushed out a Flash update to plug a security hole spotted by infosec researchers, who warned that Windows 10 users of the software may have been exposed to the flaw for more than a week.Ne’er-do-wells could exploit the flaw by sending ransomware to Windows 10 machines.
Adobe said its updates addressed critical vulnerabilities in Flash, and advised users to install the latest version of the software.
It said in a security bulletin:
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS.
These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 18.104.22.1686 and earlier.
Researchers at Proofpoint—which has a good explainer of the flaw here—worked with other infosec folk to track down the latest security hole in Flash that could be exploited by attackers with a type of ransomware dubbed “Cerber.” The ransomware is understood to have been in the wild since at least March 31.
“The bug allows an attacker to send booby-trapped content to your browser’s Flash plugin in such a way that your browser will not only crash, but also hand over control to the attacker in the process,” Sophos explained ahead of the update being issued by Adobe.
While Adobe claimed that the latest in-the-wild exploits were only targeting Windows 10 users, it would be wise for Flash fans to update the software immediately. Or alternatively, altogether bin it.
This post originated on Ars Technica UK