It took me several days to get around to looking at this but indeed, it is definitely worth posting for all you MySpace hackers or people who encounter the allowscriptaccess=”never” flag in Embeds. Yes, it can be subverted - by using PDF XSS:
I recently exploited a website with a vector which is not on your website.. you can use embed with the pdf xss.. the fun thing about this, is that even if the <embed tag has allowscriptaccess set to never, it still executes!
Indeed, just as he says, I was able to test this in IE7.0 and get it working (my Firefox install has been severely crippled after the UXSS in PDFs fiasco we saw last month). So I was unable to verify in Firefox, but I’m sure someone else will chime in. Anyway, very nice find by Huib!