Adobe issued an emergency update on Thursday to correct a security flaw with Adobe Flash Player 188.8.131.52, as well as earlier versions of the software for Windows, Mac, Linux, and Chrome. The update was introduced after researchers found a security flaw that was being exploited to deliver ransomware to Windows computers.
The software maker urged users to update the product as quickly as possible, according to Reuters. Ransomware is used to encrypt data and lock computers. The ransomware then demands payments ranging from $200 to $600 to unlock each infected computer.
Specifically, ransomware known as “Cerber” is able to penetrate Adobe’s security flaw with Flash Player. Japanese security software maker Trend Micro Inc noted in a blog post that it warned Adobe about the flaw as early as March 31.
The software update issued by Adobe corrects a previously unknown security flaw in the company’s software. These bugs are also known as “zero days” and are harder to defend against since software companies and security firms haven’t had the time to figure out ways to block them. Zero days are typically used for espionage and sabotage by nation states, rather than by cyber criminals.
CNN Money notes that Adobe didn’t reveal how many users were affected by the attacks. However, Flash Player runs on more than 1 billion computers worldwide.
Adobe first advised consumers of the security flaw earlier this week, writing in a post that “a critical vulnerability” existed in the software. The company credited EmergingThreats/Proofpoint, FireEye Inc. and Clement Lecigne of Google for reporting the bug and working with Adobe to fix it.
FireEye noted that the bug was used to deliver ransomware in the Magnitude Exploit Kit. This is an automated tool that hackers use to infect computers through an infected website. The exploit kits, which are sold on underground forums, can be used for a “drive-by” attack that seeks the infected computers automatically.
Adobe warned consumers to update their Flash Player as soon as possible to fix the security flaw.