Easy-peasy, then
Right, let's see. TFA gives us absolutely *no clue* how this works, and I include the "illustrative" YeChoob embed in that assertion (how the frig am I supposed to interpret that?), so let's go to the linked ComputerWorld article:
"He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack.""
Point 1: Why the ready, willing and greased-up FUCK would any site let a user upload a Flash file as an avatar in the first place? I do believe most server-side scripting languages can tell the difference.
Point 2: <img src="/usercontent/dodgyflashfile.swf" /> does not render a Flash object in any browser I know of. I can't see why the swf-masquerading-as-gif possibility is an issue here at all. (Correct me if I'm wrong and browsers actually have become that clever/'tarded.)
Any site that (a) lets users upload Flash, Java, JavaScript or *any* damn thing that can make the browser do tricks without *very* thorough vetting by live humans and (b) serves that same content back to *any* user (including the uploader) deserves to be rendered into gobbets by a pitchfork-wielding mob of their users (and I should think the shareholders won't be too far behind).
I struggle to comprehend the fuckwittedness of any web-dev that could allow themselves to be vulnerable to something like this.