Bad design flaws
This is, in my opinion, the result of two glaringly obvious design flaws.
1. According to the article, a cross-site scripting "attack" can inject variables into a Flash object. If this is true, it's because variables can be set in the HTML code or as part of the request. This is a huge security problem in and of itself. When you create a program (applet, application, whatever) you design it (or at least should design it) so that it is a closed system except for an input parameter string, and your program should parse and process the parameter string. You should not process the parameter string without validating the input, and you most certainly should not allow variables to be set from outside the program.
2. This is the big one. From the beginning of the browsers (at least as far as I am aware), browsers have been stupid about sessions. Browsers assume that from the moment the browser is opened to the moment the browser is closed, any visit to a website is the same session, no matter which window or tab is making the request. This is, in my opinion, another huge security problem. This is the reason cross-site scripting works -- because browsers are stupid about sessions. A session should be a single window/tab, and any children of that window/tab (so a session can contain multiple windows/tabs, but only ones spawned by the original).
Let's say I open two Firefox windows. I go to my online banking site in one window and pay some bills. Keeping that first window open, or closing it (without using my bank's proper logout procedure), I then go to exploitmenow.com in the second window. Because the browser executable has not been closed, the browser treats this as the same session as the first window. There is no reason for that second window to be able to access my banking session details or be treated as the same session. But if, in that second window, I then go to my online banking site, I'll go right in without authenticating because it's treated as part of the same session as the first window.
Now, I understand there are issues with separating sessions. And I understand PHP sessions are probably treated the same (or similar). But it still doesn't make it right. In order to secure our browsers, we first need to secure our sessions. And the way to do that is to treat every window/tab (except for children) as individual sessions.
Additionally, one window/tab should not be able to access the content of another window/tab unless it has a parent/child/sibling relationship.
Lastly, a "pet peeve" of mine. In recent months, it seems that the editorial staff (if there is any) at El Reg have quit proofreading the articles. Articles are released with multiple spelling and grammar errors, and I'm not talking about UK English vs US English; I'm talking about missing/added words and missing/added letters. I'm not singling out this article, because it seems to be a regular occurrence now. This article was just the "final straw" due to the number of errors I noticed upon a quick reading (3 errors -- "tens of thousands websites", "vulnerabile", and "completeley"). I know that content is typically considered more important than presentation, but it makes it more difficult to read, not to mention it just looks bad.