14 DAY TRIAL // Adobe is trying to raise awareness for a Flash security bug scheduled for release tomorrow, a vulnerability which the company claims it's actively exploited in real-world attacks.
The issue (CVE-2016-1019) affects Adobe Flash Player 21.0.0.197 and earlier versions, running on all platforms, Chrome OS, Linux, Mac, and Windows.
CVE-2016-1019 lets attackers hijack workstations
According to Adobe, successful exploitation of CVE-2016-1019 could lead to system crashes that can potentially allow attackers to run code on targeted machines. Depending on the attacker's technical abilities and experience, they could leverage the flaw to take over devices.
Current information reveals that this vulnerability has already been used on Windows XP and Windows 7 machines running Adobe Flash Player 20.0.0.306 and earlier.
Adobe says that security mitigation features introduced in Flash Player 21.0.0.182 make exploitation of this bug impossible on machines running recent Flash versions, but the vulnerability still exists in the Flash Player source code. The company plans to patch this issue with tomorrow's release.
A trio of researchers discovered and reported the bug
Adobe has credited three researchers for discovering the flaw. These are Kafeine (EmergingThreats/Proofpoint), Genwei Jiang (FireEye, Inc.), and Clement Lecigne (Google, Inc.).
It is highly recommended that users always run the latest version of the Adobe Flash Player. Additionally, to avoid any issues, Web browsers can automatically block the execution of Flash code, and allow the user to decide on a per-page basis where this can happen. This method ensures that Flash code is executed only on trusted sites, where there's a smaller chance (not impossible) of finding malicious content.
While many hope for "Flash to die," the technology is too widespread for it to be removed entirely. While modern technologies can successfully replace all of Flash's benefits, the technology is still needed on older, outdated systems, usually found in corporate or government networks.
UPDATE: Adobe has updated its advisory to say that all Windows versions are affected, not just XP and 7. This means even the latest Windows 10 version.