In Action Script 2.0, any uninitialized value can automatically be set via the URL as a Flash Var.In Action Script 3.0, you must explicitly request the value of each Flash Var variable and manually assign that value to an internal variable.However, that only addresses half of the overall solution to help securely deploy applications that run in Flash Player.As the web developer, you must also correctly leverage the tools provided by the Adobe Action Script language and the Flash Player platform to help ensure that your SWF files are more secure.
Adobe provides many resources for developers—such as the Flash Player security section of the Programming Action Script 3.0 for Flash documentation—to assist with developing more secure code.
In addition, depending on settings within the web page, the loaded SWF could inject script into the loaded SWF file's web page.
These attacks could occur whenever the end-user can gain control over movies that are loaded by a parent SWF file.
A remotely loaded SWF may try to render its controls over the top of the loading SWF in an attempt to perform a spoofing attack.
By overlaying the parent SWF, the malicious SWF can hijack control from the loading SWF file.