A zero-day exploit targeting the Adobe (News - Alert) Flash Player has been spotted in the wild. Any PC running Internet Explorer or Firefox with any version of Windows is vulnerable if Flash is updated and enabled—placing millions of machines at risk for ad fraud and ransomware.

So far, Google’s (News - Alert) Chrome browser is immune.

Adobe released an emergency patch today but independent researcher Kafeine, who first discovered the vulnerability, tweeted that even a fully updated Windows 8.1 PC fell to the infection—suggesting that the patch does not address the zero-day.

The most concerning problem is that the flaw is being distributed by the Angler exploit kit (EK), which is capable of supporting widespread drive-by infections. As security firm Malwarebytes explained, it means that vast swaths of Web surfers can get infected by doing “nothing more than reading a news website or browsing for some online shopping. They haven’t clicked a bad link, visited a risky website or installed anything strange. However, next thing they know their credit card details have been stolen, Facebook (News - Alert) account hijacked or the pictures on their laptop are being held to ransom.”

The exploit infects vulnerable machines with a “dropper” (i.e., a piece of software that installs, or drops, other pieces of software), which in turn can be used to either hijack the machine for ad fraud purposes, or load in a worse infection, like ransomware.

In the former scenario, the dropper connects to a command and control server, and then creates enslaved computers—or zombies—that are organized into a botnet for the purpose of generating fake ad impressions for unscrupulous third parties that get paid per-click. The result for the victim is a slower machine with fewer available resources to effectively render video or rich-media Web pages.

The latter is worse for the victim. Ransomware locks up all files on a PC and demands a payment in exchange for returning access to the user.  Usually this is requested to be made in virtual currency, like Bitcoin, and there’s no guarantee that the perpetrators will return control of the PC.

PC users are advised to disable Flash immediately to avoid compromise.