Core Security, which found the vulnerability, described it this way in a statement it issued this morning:
Developers need to do a better job checking how applications handle inputs, and these types of problems can be avoided.
All of that is the bad news. The good news is that Core Security worked with Adobe and didn't announce the existence of this flaw until it was fixed.
Core Security has published an advisory that probably gives you more information about the flaw than you'll need to know.