I know you told me - for teh most part - Flash is disabled in the sigs. But I wanted to make sure you've seen this and that it doesn't pertain to us bee users/software operators.

And I guess just for everyone else to be able to know about if they don't already!

If I'm reading it right, it's only a problem if you allow people to upload files and use them as content on the page. If the Flash file is hosted on a different server to the site / forum it's not a problem.

By default Beehive prevents users from being able to embed attachments they upload, so although you would still be vulnerable you would have to click and open the swf that is attached to the post to initiate the attack.

These type of attacks are nothing new. A few years back MSIE suffered with a mime-type flaw which meant less than honest people could rename Javascript / VBScript files to have an image file extension (.jpg) and IE would still execute it.

Anyone who lets users upload and then execute stuff deserves everything they get. That's the biggest no-brainer on the planet.

Flash is executed by the browser, so all it's going to take for this to be real nasty is a forum like this that allows users to upload files to use in their sigs. Then anyone who looks at a thread where that user has posted is done.