Adobe working on fix for yet another 'critical' Flash bug being exploited on Windows 7 and XP

A critical vulnerability in Adobe Flash? That's unusual, isn't it?

Adobe is working frantically on an out-of-band patch for a a zero-day vulnerability in its Flash Player software affecting Chrome, Linux, OS X and Windows operating systems.

Adobe warned in a security advisory released on Tuesday that it has been made aware of a "critical vulnerability" in Flash Player 21.0.0.197 and earlier that could "cause a crash and potentially allow an attacker to take control of the affected system" if exploited.

Problem is, the flaw is already being exploited on Windows 7 and Windows XP systems, the firm said, which means that anyone using Adobe Flash 21.0.0.197 or earlier on the aging and unsupported versions of Microsoft's operating system is vulnerable to attack.

"Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier," the firm said.

Adobe added that a mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.

The company thanked Kafeine of Proofpoint, Genwei Jiang of FireEye and Clement Lecigne of Google for bringing the CVE-2016-1019 Flash exploit to its attention.

Adobe is readying a patch which is due to be released on 7 April. In the meantime, users should make sure their version of Flash is as up-to-date as possible.

Just last month, Adobe was forced to release an emergency patch for yet another critical vulnerability that could allow an attacker to take control of affected systems.

These flaws could soon, but probably won't, become a thing of the past, though, as Adobe itself is encouraging developers to ditch Flash in favour of HTML5.

To learn more about enterprise security challenges, the threats they pose and how to combat them, sign up for Computing 's Enterprise Security and Risk Management conference taking place on 24 November. Places are free for qualifying end users.