The Flash bug has been deployed since March by a criminal gang against particular targets
Adobe has issued a patch for its Flash Player that fixes a critical security hole, which computer security experts say has been used in attacks since March.
The update is the latest sign of the frequent security problems affecting Flash Player, whose widespread presence in browsers has made it an attractive target for online criminals.
The flaw, known as CVE-2016-4171, was discovered earlier this month by Kaspersky Lab, which said it was being used against particular, high-profile targets.
“Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks,” Adobe said in release notes accompanying the update.
The patch fixes a total of 36 bugs for Flash in Windows, Mac OS, Linux and ChromeOS, some of which Adobe acknowledged were “critical vulnerabilities that could potentially allow an attacker to take control of the affected system”.
Adobe’s Flash software includes an automatic update feature, or users can download the patch from Adobe’s website.
Multiple zero-day bugs
“Just please be sure, if you take this route, that you download Flash Player from the genuine Adobe website,” wrote security analyst Graham Cluley in a blog post. “On many occasions we have seen criminals using social engineering tricks to dupe unsuspecting users into installing bogus Adobe updates, which go on to compromise their computers.”
Another option is to disable Flash or to set it to activate only when clicked, researchers said.
Google said it plans to disable Flash by default in its market-leading Chrome browser this autumn, but will temporarily exempt certain popular websites, such as YouTube, from the change.
Kaspersky Lab said earlier this month that a group it called “ScarCruft” was targeting victims in countries including Russia, Nepal, South Korea, China, India, Kuwait and Romania using two Flash exploits and one affecting Microsoft’s Internet Explorer.
A campaign Kaspersky called “Operation Daybreak”, which began in March, used the zero-day Flash bug, while another operation called “Erebus” used an older bug exploited via watering holes, or sites frequently used by a particular group.
The gang may also have used a zero-day exploit designated CVE-2016-0147 that Adobe patched in April, Kaspersky said.
Are you a security pro? Try our quiz!