Flash zero-day vulnerabilities are a dime a dozen these days, so you won’t be surprised to learn there’s another one in the wild. Microsoft and Adobe have independently found two distinct zero-day vulnerabilities for Internet Explorer and Flash, respectively, which means it’s time to update Windows and Flash. Apparently, exploits exist for both that allow for remote code execution.
The Windows bug was already patched in this week’s May Patch Tuesday. The CVE-2016-0189 bug allows attackers to execute malicious code after a computer visits “booby-trapped websites,” Ars Technica explains. Internet Explorer is the vehicle used to exploit it, and the flaw was used in attacks on South Korean websites, security firm Symantec discovered.
Meanwhile, Adobe has been working “furiously” on a zero-day Flash attack that affects Windows, Mac, Linux and Chrome. The vulnerability, identified as CVE-2016-4117, was initially discovered by security firm FireEye. A fix for it is coming on Thursday, part of Adobe’s monthly security updates.
More details about the attacks are also available at Krebs On Security, which also details a bunch of other security issues that Adobe patched this week that affect PDF Reader and Cold Fusion.
What can you do to protect yourself? If you’re on Windows, then install Microsoft’s latest security update to patch the IE zero-day attack. To fix the Flash vulnerability, you’ll have to wait until tomorrow when Adobe releases its fix. Install it as soon as you receive the prompt to update, no matter what operating system you’re using. It’s best to avoid shady websites in the meantime, and maybe even disable Flash altogether on your machine. Also, install updates for any other app that may have been recently updated, including PDF Reader and Cold Fusion.