Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. Two of the institutions—the Peter G. Peterson Institute for International Economics and the Smith Richardson Foundation—focus on matters of national security and public policy. The targets, combined with the technical signatures of the attacks themselves, have led researchers to suspect that the attackers are the same ones behind similar campaigns from 2012. The FireEye researchers wrote:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically. This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

The vulnerability, which is indexed as CVE-2014-0502 under the common vulnerabilities and exposure system, allows attackers in certain cases to execute malicious code by overwriting the virtual function table pointer of a Flash object. In a testament to the growing effectiveness of modern exploit mitigation techniques, a protection known as address space layout randomization (ASLR) prevents the exploit from working on the vast majority of machines. ASLR vastly decreases the chances that a remote-code-execution attack will succeed by loading downloaded scripts in a different memory location each time the computer is rebooted. The attackers behind the campaign discovered by FireEye found a way to bypass ASLR on computers running older software. Specifically, PCs running Windows XP, Windows 7 with the now-unsupported 1.6 version of Oracle's Java, and Windows 7 with a now out-of-date version of Office 2007 or Office 2010 don't benefit from the protection of ASLR.

Readers should remember that versions 12.0.0.44, 11.7.700.261, or earlier of Flash, regardless of the platform they run on, contain the underlying vulnerability. It's not uncommon for attackers to find new ways to exploit the same vulnerability. That means everyone should install Adobe's emergency update. ASLR, security sandboxes, and similar mitigations are highly valuable protections, but they are by no means foolproof, as the attacks demonstrate. Users should never regard these tools as a substitute for patching vulnerable software. The attacks are also a reminder of the damage that can result when running out-of-date programs from third parties.

Adobe's Flash update is the second unscheduled release for the ubiquitous program this month. Adobe has more details about it here. It comes within hours of Microsoft releasing a stop-gap fix for a vulnerability in versions 9 and 10 of its Internet Explorer browser to combat a separate zero-day campaign. Ars strongly recommends readers to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.