Dubbed an "object confusion vulnerability," the bug tricks a user into opening a malicious file sent in an email message which can cause Flash to crash, potentially giving the attacker control of the affected PC.
First reported by Microsoft Vulnerability Research, the bug resides in Flash Player code for Windows, Mac, Linux and Android, though Adobe claims that the exploit being used only targets Internet Explorer for Microsoft's OS. Users who installed Flash on Google Chrome are unaffected as the browser updated automatically.
"Adobe recommends users of Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 18.104.22.168," Adobe said in the bulletin. "Users of Adobe Flash Player 22.214.171.124 and earlier versions on Android 4.x devices should update to Adobe Flash Player 126.96.36.199. Users of Adobe Flash Player 188.8.131.52 and earlier versions for Android 3.x and earlier versions should update to Flash Player 184.108.40.206."
While Windows users who have selected the "silent update" option will receive the update automatically, those who did not or are running Flash 10.3.x or later for Mac must manually install the fix from within the program. To verify that the latest version of Flash is installed, users must navigate to the "About Flash Player" page or right-click on content running Flash within a webpage. Each browser on a given computer should be checked.