Adobe released a critical security update for its Flash Player on Mac OS X, Windows, and Linux that patches an exploit hackers are currently using to install malware on Windows PCs. The update didn't, however, patch a second critical security flaw that's already in the wild. Adobe says a fix for that is coming next week.
Adobe patched one critical zero-day Flash exploit, but left another open
The active exploits seem to be limited to Internet Explorer and Firefox on Windows PCs for now, but Mac and Linux systems could be targeted, too. Hackers are using the flaw to push the Bedep payload to victim's computers which lets them install ad fraud software and other malware.
Adobe's Flash Player 18.104.22.1687 update for Mac and Windows, and 22.214.171.1248 update for Linux addresses one zero-day vulnerability, but leaves a second open to hackers. The fix for that will apparently come out in the next few days. In a security note for Flash users Adobe said,
Adobe is aware of reports that an exploit for CVE-2015-0310 exists in the wild, which is being used in attacks against older versions of Flash Player. Additionally, we are investigating reports that a separate exploit for Flash Player 126.96.36.1997 and earlier also exists in the wild.
Attackers are using hacked websites to push their malicious payload to victim's computers, making it important to avoid websites you aren't certain you can trust.
If you don't need Flash, this is a perfect example of why you should uninstall it from your computer. If you do need Flash, security researcher Kafeine, who has been following the exploit closely, offered some good advice saying, "Disabling Flash player for some days might be a good idea."
For users who can't get away with uninstalling Flash, they can check to see which version they're running at the Adobe website.