An unpatched vulnerability in Adobe Flash known as “zero day” is being used by criminal hackers to target users of Internet Explorer and Firefox on Windows 8.1 and below.  To make matters worse for Adobe, just as the company pushed out a patch for the bug, security researchers identified a second bug exploiting the same vulnerability.

On Saturday, users with “auto-update” enabled finally received a patch for this second zero day bug, and Adobe expects the update to be available for manual download this coming week.

“We are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” said Adobe’s Security Incident Response Team in a blog post.

In the meantime, the vulnerability is “being actively exploited in the wild via drive-by-download attacks,” according to an Adobe security advisory.

Although Windows machines are the most widely targeted by zero day, OSX and Linux operating systems running older versions of Flash are vulnerable as well. The bug is part of an exploit kit known as “Angler,” Forbes reports, one of the most popular software kits used by cyber criminals to hack computers. Spread through malicious advertisement links, Angler employs a variety of exploits once it is on a computer, from encrypting files and demanding a ransom to stealing bank account information. According to BBC News, Angler was the most widely used exploit kit of 2014.

Unfortunately for Adobe, BBC News also reports that three of the top four flaws exploited by cybercrime groups are vulnerabilities in Adobe’s Flash, Acrobat and Reader programs.

Security researchers at the “Malware don’t need Coffee” blog have some simple advice for users: “Disabling Flash player for some days might be a good idea.”