This is from a security bulletin from Riseup.net about a month ago:
Adobe Flash Advisory
Adobe Flash is a plugin for most web browsers that allows the browser to display interactive content such as games and videos. In a new vulnerability announced on Monday, Adobe Flash can be tricked by a website you visit or a document you open to allow a remote attacker to take control of your computer.
Who does this affect?
The problem exists in all web browsers that have Adobe Flash, on all operating systems. It also affects Microsoft Office.
By combining this vulnerability with others, an attacker can take total control over your computer, read all your data, capture all your login accounts, spy on you through the webcam, and so on.
What can I do to protect myself?
Disable Adobe Flash immediately. It is a constant source of security holes, and is being discontinued by Adobe.
Until recently, sites like YouTube relied heavily on Adobe Flash. Today, however, you don't need Adobe Flash in order to use most sites with dynamic content or video. Because of this, you should disable or uninstall Flash entirely. If you have some burning reason you need Adobe Flash, you can also upgrade Flash to the new version without the vulnerability.
Chrome: Preferences: Settings > Show advanced settings > Content settings > Flash > uncheck "Allow sites to run Flash".
Firefox: Tools: Add-ons > Plugins > Flash > Never Activate.
For instructions on how to uninstall Flash for every browser, see https://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/
See Adobe's security advisory for instructions on how to get a patched release of Flash https://helpx.adobe.com/security/products/flash-player/apsb17-32.html
An attack using this vulnerability in Adobe Flash was observed on October 10 by Kaspersky Lab. The vulnerability was being used to infect the victim's computer with the FinFisher malware. The group behind the attack is believed to be BlackOasis, aka NEODYMIUM, which historically focuses on targeted attacks against civil society actors in Turkey. BlackOasis is classified as an "advanced persistent threat" and is believed by many researchers to be a customer of the Gamma Group, a German and UK corporation with along history of surveillance and monitoring of activists.
For further reading, see: