Adobe is working on an emergency patch for its Flash Player after attackers are reportedly exploiting a critical flaw.
The vulnerability, CVE-2016-1019, affects Flash Player version 18.104.22.168 on Windows, Mac, Linux and Chrome OS, according to an advisory published on Tuesday.
The flaw is being actively exploited on Windows XP and 7 systems running Flash Player versions 22.214.171.1246 and earlier.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” it said.
A patch could be released as soon as Thursday.
A mitigation in Flash Player version 126.96.36.199 and above prevents the vulnerability from being exploited, Adobe said.
Flash Player is a favored target for cyberattackers since it runs on hundreds of millions of computers worldwide and vulnerabilities are frequently found.
On Windows and Mac OS X, Flash Player will regularly check for updates. But the update still must be installed, which some users may neglect to do.
Adobe normally issues patches on the second Tuesday of the month, the same day as Microsoft, but issues emergency patches for particularly bad ones.
Adobe has been working for years to make Flash more secure through code reviews, but it has proven to be a mighty task for an application that’s nearly two decades old.
It has, however, seen the writing on wall. In December, Adobe acknowledged that HTML5 was the future of Web animations and built a product called Animate CC for developing content.