Flash vulnerability reveals open ports

From scan.flashsec.org:

Summary

Due to a design flaw in ActionScript 3 socket handling, compiled Flash movies are able to scan for open TCP ports on any host reachable from the host running the SWF, bypassing the Flash Player Security Sandbox Model and without the need to rebind DNS.

You can see a proof of concept at the site, and it's quite interesting to watch. This happens inside your firewalled network, just by browsing the internet.