Adobe's Flash is probably one of the most dangerous plug-ins to have turned on by default as it's continuously under attack by cybercriminals. Another zero-day attack for Adobe Flash is currently being exploited in the wild, Adobe issued a security advisory and promises to roll out a patch on May 12th. The bug affects Windows, Mac, Linux and ChromeOS.
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
There's also a new zero-day attack for Windows but fortunately, Microsoft patched it as part of this month's Patch Tuesday update cycle. The bug involves the JScript and VBScript engines, with Internet Explorer being the vehicle used to exploit it:
Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.