Adobe acknowledges critical remote vulnerability in Flash, exploits already in the wild

Adobe on Saturday released an updated version of its Flash player software that patches an undisclosed vulnerability which could allow remote attackers to take control of Macs or PCs, urging users to update as the problem is being actively exploited by malicious actors.

Flash versions up to and including 16.0.0.287 on OS X and Windows and 11.2.202.438 on Linux are susceptible to the attack, the cause of which has yet to be detailed. Mac users with Adobe's automatic update feature enabled should begin receiving updates to version 16.0.0.296 immediately, and the company is preparing a standalone patch for manual installation to be released this week. Adobe is also working with Google to update the embedded version of Flash included in the Chrome browser.

The vulnerability —  which has been assigned CVE number 2015-0311 —  is "being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below," Adobe said in a security advisory. A "drive-by-download" attack is one in which software is downloaded to a user's computer without their knowledge or explicit consent.

Adobe defines CVE-2015-0311 as "critical," meaning a "vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."

Users can check the version of Flash installed on their system by visiting Adobe's About Flash Player page or right-clicking on Flash content in their browser and choosing "About Adobe (or Macromedia) Flash Player" from the contextual menu. Instructions for enabling automatic updates or manually updating Flash can be found here.