Below is a snippet from the SANS Newsbites. See Ranum's editorial comment - it'll make you shiver.
For instance, the 'exec' option here: http://www.adobe.com/support/flash/action_scripts/actionscript_dictionary/actionscript_dictionary372.html Kurt --Quantcast Casts Out Flash Cookies in Wake of Report (August 12, 2009) In the wake of research published about Flash cookies, online tracking company Quantcast has stopped its practice of recreating customers' cookies with Flash after users deleted the regular cookies. The researchers showed that some websites were circumventing customers' wishes not to be tracked by creating the flash cookies, which are not affected by browser privacy settings. Quantcast made the change to its practices on Tuesday afternoon after the research was published. According to the report, more than half of 100 sites scrutinized for the research used Flash cookies. Adobe has provided instructions for managing Flash cookies on its website. http://www.wired.com/epicenter/2009/08/flash-cookie-researchers-spark-quantcast-change/ http://kb2.adobe.com/cps/546/4c68e546.html [Editor's Note (Ranum): The active content ("run whatever some guy over there tells you!") model has always been a threat; there is simply no way around it. I'm only surprised that it has taken so long for Flash to have a spotlight shined on it. If you want to see something really scary, read about the Flash "fscommand" operator - basically it's the equivalent of system(3) in UNIX circa 1985. Running Flash in your browser is the equivalent of giving a command prompt to everyone who owns every website you visit. (Pescatore): Palm was just outed for the Palm Pre secretly sending location information back to Palm. Hiding behind opt-out language buried in eensy beensy type in voluminous end user licensing agreements is a great way to anger your customers.] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
