The software maker urged the more than a billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible.
The bug was being exploited in “drive-by” attacks that infect computers with ransomware and poisoned websites.
Ransomware encrypts data, locking up computers, then demands payments that often range from $200 to $600 to unlock each infected PC.
Japanese security software maker Trend Micro Inc said that it had warned Adobe that it had seen attackers exploiting the flaw to infect computers with a type of ransomware known as ‘Cerber’ as early as March 31.
Cerber “has a ‘voice’ tactic that reads aloud the ransom note to create a sense of urgency and stir users to pay,” Trend Micro said on its blog.
Adobe’s new patch fixes a previously unknown “zero day” security flaw.
FireEye said that the bug was being used to deliver ransomware in what is known as the Magnitude Exploit Kit. This is an automated tool sold on underground forums that hackers use to infect PCs with viruses through tainted websites.