Adobe has released an update for a previously unseen flaw in Flash Player that attackers are using to hack Windows 7, 8.1 and 10 systems.
Just a fortnight after Adobe patched a dozen bugs in Flash Player, the company has released another patch to plug a zero-day, or previously undocumented, bug in the media player.
According to Adobe, an exploit for the flaw (CVE-2016-7855) is available in the wild and is being exploited in “limited, targeted attacks” against users running Windows versions 7, 8.1, and 10.
This suggests that most users don't face an immediate risk since the exploit is likely being used against high value targets, such as execs from large companies or political targets.
While the bug has only been used against Windows machines, the patch applies to Mac, Linux and Chrome OS as well. The new, secure version number is 126.96.36.199 for Flash for Mac and Windows, as well as Chrome, Edge, and Internet Explorer 11.
All earlier versions of contain a use-after free vulnerability that could allow an attacker to take control of a compromised system.
The bug was reported to Adobe by Google's Threat Analysis Group.
Despite the current narrow focus of the new Flash attacks, it is still a good idea to patch Flash Player as soon as an update is available. According to Microsoft, over 90 percent of attack pages online in 2015 contained malicious Flash Player objects.
Security firm Trustwave recently reported that almost 40 percent of the zero-day vulnerabilities identified in 2015 were in Flash Player and 80 percent of the new exploits added to widely used Web-based exploit kits were for Flash Player flaws.