Information Week is running a story on recent developer complaints over the security of Adobe's Flash rich media format.  The claim is that Flash lacks the security controls needed to prevent the format from being used by malware developers to direct users to their sites.  Quoting the test of the original article:
"The problem is that [Flash] .swf files are being actively manipulated by malware authors to deliver [malicious] ads, and it's nothing to do with a particular vulnerability," explained Alex Eckelberry, President and CEO of Sunbelt Software, in an e-mail. "It has to do with the flexibility the Flash format offers, and the fact that end-users have no control over what's offered in Flash (it's all or nothing)."
In a contrast to Adobe's initial tight-lippedness over a recently discovered Reader vulnerabilit, late last week, an Adobe employee named John Dowdell came to the defense of Flash in a posting on a blog hosted by Adobe (d.b.a. Macromedia).  Dowdell disputes the need for zones of trust security model in Flash.
The writer thinks the solution is in Internet Explorer's "trusted domains" scheme, but I think that conclusion is offbase... the "trusted domains" hack was to cover the architectural error of invoking system-level ActiveX Controls from the webpages of strangers, and in this case you're actually dealing with *multiple* domains (the visited page, the ad network, the destination scammer site)... I don't think the raw consumer public should have to dope out all those redirections.
Dowdell then goes on to identify what he thinks is the real issue.
I believe the core problem is actually larger: the execution of instructions from strangers -- the mashup culture -- this is the real issue here. The site owner accepted content from an ad network which did not fully vet its content providers. A SWF can redirect without a click, as can an IFRAME, an analytics script, or any other bit of third-party JavaScript. We need to trust the content we're integrating into our own webpages. This decision is properly decentralized to site owners, who choose ad networks which exercise appropriate discretion over the advertisers they accept.
Regardless of whether you believe that Dowdell's defense has merit, it is refreshing to see an Adobe employee using a blog to address criticism in a direct and honest manner.