Adobe gives advance warning that it's planning to release a critical security update for Flash tomorrow. The bug potentially allows attackers to take remote control of affected systems. Attackers are actively exploiting the bug on systems running Windows 7 and XP in combination with Flash Player version 184.108.40.2066. Users running Flash Player 220.127.116.11 or later should be safer as this version introduced a mitigation technique but a real fix isn't expected until Thursday at the earliest.
A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 7 and Windows XP with Flash Player version 22.214.171.1246 and earlier. A mitigation introduced in Flash Player 126.96.36.199 currently prevents exploitation of this vulnerability, protecting users running Flash Player 188.8.131.52 and later.
Adobe is planning to provide a security update to address this vulnerability as early as April 7.