Adobe is expected to release a security update as early as April 7 to fix a critical vulnerability (CVE-2016-1019) in Adobe Flash Player 21.0.0.197 and earlier that “could cause a crash and potentially allow an attacker to take control of an affected system.”
In a Tuesday security advisory, the company said it “is aware” of the vulnerability, which affects Windows, Macintosh, Linux, and Chrome OS versions, “being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 20.0.0.306 and earlier.” Adobe urged users to update to a current version of Flash Player that includes a mitigation introduced in the March 10 Flash Player 21.0.0.182 update that will prevent attackers from exploiting the vulnerability.
Adobe credited researcher Kafeine (EmergingThreats/Proofpoint) as well as Genwei Jiang of FireEye, Inc. and Google's Clement Lecigne for reporting the vulnerability.