Last week Adobe released a update intended to patch a zero-day vulnerability which the security blog Malware Don't Need Coffee had initially discovered in certain versions of Flash.
But within hours of releasing that patch last Thursday, Adobe admitted that the hackers who exploited the initial vulnerability had already discovered how to work around the patch, meaning that Flash users were still vulnerable to hackers until at least Jan. 26, the day Adobe said it intended to release the second patch.
Adobe's updated Security Advisory also notes that a patch to fix another security flaw went through on Saturday, Jan. 24 – but only for those set for automatic updates. For those who manually update Flash, the second patch won't be released until sometime this week:
… users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 18.104.22.1686 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26 ….
Until you are able to apply the second update to Flash, your best bet is to play it safe and disable Flash altogether.
Correction: An earlier version of this article incorrectly stated that the Jan. 24 patch fixed the initial vulnerability.