Security researchers from Talos report they’ve found a vulnerability in Adobe Flash that allows attackers to take full control over the system. The vulnerability was found in the most recent version of Flash. However, Adobe reports also older versions than Flash 18.104.22.168 can be affected.
An exploit for vulnerability has also been discovered in the wild, mich means it’s actively exploited, according to the researchers from Talos, a division from Cisco. The issue affects Adobe Flash for Windows, Linux, Mac and also the Adobe Flash plugins for Google Chrome, Microsoft Edge and Microsoft Internet Explorer 11.
Attackers try to exploit the vulnerability by distributing malcious code in a Microsoft Excel document. The document contains an ActiveX object which loads a Flash file. After it has been successfully loaded, the infected computer downloads malware from a hacked server.
Adobe will release an update for Flash that should fix the vulnerability. The update is scheduled for next week. The company also advises to enable Protected View which will only open documents in read-only mode. On most Office versions this is enabled by default.