I’m guessing there’s a better than decent chance that you’ve already heard about this, but this is such a bad one I thought I would just make sure: The appropriately-named Hacking Team was hacked earlier this week, and in the 400 gigs of data stolen from them was a previously unknown 0-day Flash exploit. The exploit allows web sites to execute arbitrary code on vulnerable machines.
The Hacking Team makes a living selling tools that allow their clients, mainly governments and law enforcement, to surveil internet users and snoop on encrypted internet traffic. An important part of their service is collecting unknown exploits and keeping them a secret so they don’t get patched, and can continue to be exploited.
Flash gets updated a lot, often for security purposes. What usually happens is a security firm, or a hacker looking for a bounty, or Adobe itself will find a vulnerability, and the Flash team will quietly patch their software before the exploit becomes widely known. This time, the exploit is already out there, and is quickly making its way into malware tools.
And now you should go patch Flash.