Today Macromedia has released a security tech note about the issue: Macromedia: MPSB02-08 – Macromedia Flash Player Cross Server Scripting Security Issue
It describes the problem in detail, and most interestingly offers a solution to the problem. Macromedia is announcing that they will be releasing a new version of the Flash 6 player in July, which will allow for a new PARAM/EMBED tag when including Flash content in an HTML page. The new parameter will be called “AllowScriptAccess” and can be set to “always” or “never”. When set to “never” it would disallow outbound scripting (ActionScript getURL() actions that specify a scripting statement).
[Via Mike Chambers]