Flash users, it's time to update the plugin ASAP. Adobe has today issued an emergency security update to patch a critical vulnerability, just three days after the last update. Adobe says the vulnerability could potentially give an attacker control of an affected system.
This update will bring the Flash NPAPI plugin up to version 184.108.40.206 on Windows and OS X clients. Chrome and Edge will automatically update themselves with the latest plugins for those browsers, according to the security bulletin.
Peter Pi of Trend Micro says this vulnerability could allow attackers to get around mitigation techniques that Adobe and Google created together if it's left unpatched. His blog post about the vulnerability gets into great detail. The basic idea is that the definition of a ByteArray in Adobe's Actionscript programming language isn't protected by these mitigation techniques. A piece of malicious code can be turned loose by using an externalizable object to set the length attribute of a ByteArray to 0xfffffff6.
According to Trend Micro, the most recent zero-day attack is probably part of an ongoing campaign against the United States and other NATO members. The spate of Java and Flash vulnerabilities discovered from the Hacking Team leak were also used by this campaign, which has been dubbed Pawn Storm. While the attacks have had a limited scope, it seems that it's just a matter of time before more attackers exploit these vulnerabilities now that they're out in the open. Be sure to update Flash, or even better, just disable it if you can.