During the recent OWASP NYC AppSec conference, Adi Sharabani & Ayal Yogev, both from the IBM Rational application security research group, gave a presentation on the subject of Flash security, and revealed the details of a new Flash related attack vector called Flash Parameter Injection (FPI).
You can find more information on FPI in the following 2 links:
- Flash Parameter Injection - OWASP Presentation (be sure to view in full screen, as this presentation contains some nifty animations)
- Flash Parameter Injection - Advisory / Whitepaper (PDF format)
It appears that the world of Flash & Flex web application security is still in its infancy, but you can rest assured that our team will continue to research new vulnerabilities and develop new technique to combat/detect them. So...stay tuned for new developments from IBM Rational application security.