Stefano Di Paola with contribution from Giorgio Fedon (both from a brand new security research company, MindedSecurity) and Elia Florio have just released the details about a Remote Code Execution flaw in Flash Plugin 9 independent from the OS. Parsing a flv with adobe flash player it's possible to trigger an exploitable integer overflow.
By using a specially crafted "flv" video it's possible to trigger an integer overflow inside Adobe Flash interpreter which could lead to client/browser-plugin crash, arbitrary code execution or system
denial of service. All OS (Windows, Linux, MacOs,...) seem to be affected.This is a very dangerous vulnerability, in fact, an attacker could force a flash video player that is already in place on a remote web site to crash and execute arbitrary code in the context of the local machine.
Probably this will be one of the highest-impact vulnerabilities of 2007. Well done Stefano! But after UXSS we couldn't expect less ^_^
Read the original advisory on Flash Player/Plugin Video file parsing Remote Code Execution.