Another security flaw affects all versions of Adobe Flash
The vulnerability is being exploited by a cyberespionage group targeting governments, NATO and the media, researchers warn.
Steven MusilNight Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
ExpertiseI have more than 30 years' experience in journalism in the heart of the Silicon Valley.
A day after releasing its monthly security update, Adobe confirmed it has discovered a new vulnerability in Flash Player that affects every version running on the Windows, Macintosh and Linux operating systems.
Adobe said Thursday that it will issue an out-of-cycle security update next week to address the software plug-in's vulnerability, which it warned could crash and potentially allow an attacker to take control of the affected system. The bug was discovered earlier this week by researchers at Trend Micro.
"Adobe is aware of a report that an exploit for this vulnerability is being used in limited, targeted attacks. Adobe expects to make an update available during the week of October 19," the company said in its advisory.
The San Jose, California-based software maker did not immediately respond to a request for more information on the vulnerability.
The vulnerability in the widely used plug-in is already being used in phishing attacks launched by cyberespionage group Pawn Storm against a variety of governments, according to Trend Micro. Active since 2007, the group is known to have targeted governments in Europe, Asia and the Middle East, as well NATO organizations, the White House and US media, Trend Micro reported.
Adobe's Flash was once the de facto standard for websites to run games, stream video and deliver animation over browser software. It has fallen out of favor, however, with many tech companies and organizations, which deride the plug-in as a battery hog and security vulnerability. In its heyday, Flash ran on more than 800 million mobile phones manufactured by 20 handset makers. Its popularity has waned in recent years as more in the online video industry turn to HTML5, a developing language that can run graphics without plug-ins.
Citing Flash's poor track record with security, some researchers recommend Web users disable or remove the plug-in altogether.
"2015 has been a very bad year for the Flash Player and given that a patch won't be available for several more days it is crucial to take immediate action to protect yourself," Jerome Segura, a senior malware researcher at Malwarebytes, wrote in a blog post Wednesday. "Indeed, this window of opportunity is something that exploit kit authors have taken advantage of in the past to infect scores of end users."