Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.
Adobe said the vulnerability is in version 22.214.171.124 and earlier for Windows, Mac OS X, Linux and Chrome OS.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory published late this afternoon.
Adobe said that a mitigation introduced on March 10 in Flash 126.96.36.199 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 188.8.131.526 and earlier.
French researcher Kafeine, who publishes updates on his personal site on exploit kits, is one of three researchers credited with disclosing the bug to Adobe along with FireEye’s Genwei Jiang and Google’s Clement Lecigne.
Kafeine told Threatpost he would not comment before the availability of a patch.
The March 10 Flash Player update was part of Adobe’s regular monthly security update cycle. It patched 18 remote code execution flaws, including one, CVE-2016-1010, being exploited in the wild.