basically you can upload a valid file to a website with an appended or prepended malicious file and then have it run when another user ...

YIKES!

looks at it. Forexample you can look at an uploaded zip file and the flash program will also run

My AV covers flash files It's actually blocked sites on-the-fly.

It is not just a flash problem flash is just one example of appending code

The Gmail hack is very difficult and wont affect most people but gives an idea of how risky this all is

Someone could perhaps append something the avatar pic in here

And then there are businesses and institutions that disallow end users installing things, so Flash is perpetually out of date.

its all one big mess. If they dont allow updates they should auto update!

We did some social hacking at work and can update our boxes now

Can't auto-update when each version has to go through an approval process. Yay Bureaucracy!

Firefox users should get NoScript and IE users should get ToggleFlash to control what Flash runs.

I'd also suggest blocking ads as a uploaded graphic might have appended flash or something else and your browser might run it

Oh, gods. Corrupted banner ads are a nightmare >_<