That’s awesome. Every programmer can also just not cram 200 bytes into buffers that are only big enough for 100. No need to change the C libraries. Bad programming? Use good programming. It’s so simple! How could we not have seen it!
The superstar in question, X-Force's Mark Dowd, found a twisty path past many traps intended to protect the Flash plugin and your computer's integrity and came up with a way to inject arbitrary code into the host computer from a Flash widget/movie (This is definitely not supposed to happen). That would be awesome (and terrible, yes) enough, but he did it with style and creativity that impressed his peers ... and will inspire lesser individuals to use his knowledge for petty evil. Oh, and yeah it cuts right across the best stuff Vista has, from most peoples reading. More testing will confirm. In the meantime, once again, leaving Flash enabled means any website you visit could accidentally or intentionally be hosting one of these little charmers which can take over your computer. Just like a malicious ActiveX control, jpeg file, or Java applet could, for given weeks in the recent history of the web, etc etc.
The specific vulnerability will be patched (hopefully quickly), the class of bug will remain, and stupid people will still be allowed to program... Computer programming is a young discipline and its' security younger still, which is why it's so fun and exciting. Good thing no one relies on any of these prototypes for anything important. Right?
Edits: The posts are piling up on Matasano after this one, so maybe this broke through his writer's block. And, I forgot to say congrads to Mr Dowd: Way to go, man!