Warnings about the insecurity of online Flash multimedia created with all but the most recent authoring tools have largely fallen upon deaf ears (...) Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday.
The researchers from Google found that, despite the fact that the vulnerabilites were published in December 2007, none of the websites checked had updated their Flash files created with the vulnerable software.
Adobe plans to release a new version of its Flash Player in early April that will prevent attackers from exploiting the issues and, likely, break much of the Flash content on Web sites that are unprepared for the changeover. The makers of major authoring tools have also closed the security holes in the Flash files created by their tools.
Msg#: 3614699 posted 10:18 pm on Mar 30, 2008 (gmt 0)
Please note that the list of authoring tools does not include Flash. From the Google Docs document:
Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Abobe Contribute (r), Adobe Acrobat (r) Connect (tm) (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).
This problem is not limited to authoring tools. [beep], a popular service provider, used a vulnerable controller SWF in many of their projects.
It seems that if you used Flash to create your .swf files, you're safe.