Adobe Systems Inc issued an emergency update on Thursday to its widely used Flash software for Internet browsers, after researchers discovered a security flaw that was being exploited to deliver ransomware to Windows PCs.
The software maker urged the more than 1 billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible, after security researchers said the bug was being exploited in “drive-by” attacks that infect computers with ransomware when tainted websites are visited.
What exactly ransomware does is it encrypts data and locks up computers. Then it asks for payments that often range from $200 to $600 to unlock each infected PC.
The first warning to Adobe was issued by Japanese security software maker Trend Micro Inc as early as March 31. The ransomware that was affecting the system is called ‘Cerber‘.
Cerber “has a ‘voice’ tactic that reads aloud the ransom note to create a sense of urgency and stirs users to pay,” Trend Micro said on its blog.
The recent update fixes all previous issues. Such bugs are called “zero-days” and are priced very high, as they are harder to defend against, since software makers and security firms have not had time to figure out ways to block them.
They are typically used by nation states for espionage and sabotage, not by cyber criminals who tend to use widely known bugs for their attacks.
“The deployment of a zero-day highlights potential advancement by cyber criminals,” said Kyrk Storer, a spokesman for FireEye Inc. “We have observed ransomware and crimeware deployed via ‘zero-day’ before; however, it is rare.”
Most recently, such uses have increased in number across the United States and Europe, at places and organizations including hospitals, police stations, and school districts.