Adobe Flash zero-day hole affects multiple operating systems

A new zero-day exploit in the popular Adobe Flash Player is currently being targeted by attackers seeking to spy on users.

The CVE-20140-0515 zero-day was discovered by security vendor Kaspersky around two weeks ago. Adobe has now confirmed the hole and issued emergency patches for Microsoft Windows, Apple OS X, as well as Linux variants and Oracle Solaris.

Kaspersky said two exploits for the vulnerability have been discovered so far. Both exploit the obsolete Pixel Bender video and image processing component in Flash Player, in what Kaspersky said is a carefully planned attack devised by "professionals of pretty high calibre."

The first exploit can infect any unprotected computer, whereas the second requires the Adobe Flash Player 10 ActiveX control and Cisco's MeetingPlace Express Add-in.

Updating Flash may require several steps depending on which web browsers are used. Microsoft's latest browsers, Internet Explorer 10 and 11, and Google's Chrome automatically update the built-in version of Adobe Flash. Users may need to close and restart their browsers however.

The new zero-day exploit comes after another security hole was discovered to use Adobe Flash Player to attack several versions of Internet Explorer, to completely compromise affected systems.

As a result of the vulnerability, the United States government Computer Emergency Response Team recommended users employ a different browser until an official update is available for Internet Explorer.

Earlier this month, Adobe issued security updates for Flash Player 12 on Windows and Mac OS X, version 11 on Linux and AIR for Android after a vulnerability that allowed attackers to remotely take control of victims' systems was found.