Researchers at Foreground security have discovered a way to attack browsers that handle Adobe's Flash objects.

Mike Bailey, senior researcher at the firm, revealed that the vulnerability could be used to attack any of the 99 per cent of internet users who use Flash, or any site that allows user-created content to be posted online and served back from the same domain.

"Flash objects are not web pages. A Flash object does not need to be injected into a web page to execute – simply loading the content is enough," wrote Bailey in a blog posting.

"Let's consider the implications of this policy for a moment. If I can get a Flash object on to your server, I can execute scripts in the context of your domain."

He continued, reminding readers of how many web sites allow users to upload files of some kind, and how many of those sites serve them back to users. " Nearly every one of them is vulnerable," he added, citing Google's Gmail service among others.

According to Bailey, any one of a number of file types could be used to inject malicious code into a web domain, including GIF format images and SWF files.

"Gmail serves attachments from mail.google.com, the same domain that is used to access other webmail functionality. You may already see where I'm going with this," he continued, adding that the technique could be used to send a payload to a user account, analyse sent messages and execute itself from the inbox.

Remedies seem to be rather extreme, and not without their compromises. "For users trying to protect themselves, disabling Flash completely is the only way to be sure. But that breaks a lot of valuable stuff on the internet," Hill said. "So you will probably end up mitigating rather than solving the issue."

Web site operators should switch to serving content from separate domains, something that Hill said was done by firms including Yahoo, Hotmail and Wikipedia.

Hill does not see a fix from Adobe coming "any time soon", while the firm itself has not yet responded to calls for comment.