A critical zero-day vulnerability has been uncovered in Adobe's Flash Player that is being actively exploited in real-world attacks to infect unsuspecting internet users with malware. In an advisory release, as part of the monthly Patch Tuesday security updates, this alarming flaw reportedly impacts Windows, Mac, Linux and Chrome operating systems. However, the firm admits a full fix is not set to be revealed until 12 May.
"A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 18.104.22.168 and earlier versions," Adobe revealed. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild."
Until the patch is released, Flash users remain at risk of exploitation from hackers and cyber-criminals. Even after the update is unveiled, any internet user who fails to install the update will be left vulnerable. For the latest information, Adobe has advised users to regularly check its Incident Response Team blog.
The software firm has credited Genwei Jiang of security firm FireEye with reporting the flaw, who previously worked alongside researchers at Proofpoint to disclose a separate zero-day flaw on 2 April that was able to serve up Cerber and Locky ransomware to unlucky victims.
Death to Flash?
In recent years, Adobe has been forced to release numerous fixes for critical flaws uncovered in its Flash product – which is still used online by many websites to play media content and show advertising. This has caused many major technology firms – including Mozilla, Google and Facebook - to discard the software, instead moving towards HTML5 to display content.
Last year, Facebook's head of security Alex Stamos publicly called for the death of Flash. "It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day," he wrote on Twitter.
Another post added: "Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once."
Meanwhile, security researcher and blogger Graham Cluley has consistently lambasted Flash for its stance on security. "The problem is that perhaps Adobe doesn't feel happy acknowledging that securing Flash is beyond them, and so is unwilling to drop the product," he said last year after a leak of data from Hacking Team exposed a number of zero-day exploits.
Cluley added: "The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure. As it is, the only people who truly seem to love Adobe Flash these days are the criminals themselves."