On Tuesday, Adobe has pushed out security updates for Cold Fusion and Adobe Acrobat and Reader, but has also announced an update for Flash Player that should be released on Thursday and will fix a zero-day flaw (CVE-2016-4117) that’s being actively exploited in attacks in the wild.
What kind of attacks? Adobe didn’t say. But the vulnerability is considered to be critical, as successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
It affects Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS, and has been discovered by Genwei Jiang of FireEye.
Genwei Jiang is also one of the researchers who has been credited with the discovery of a Flash Player zero-day vulnerability (CVE-2016-1019) that has been patched in April. The flaw, an exploit for which was integrated into the Magnitude Exploit Kit, was exploited to deliver Locky ransomware.
So, if you used Flash Player, be ready to patch your installation as soon as possible once the fix is released. Alternatively, given all these problems, you might want to reconsider its use, and uninstall the media player altogether.