Krystian Kloskowski reported a buffer overflow in QuickTime versions 7.2 and 7.3. An attacker can lure a victim to load a web page with an embedded media object or a file in an email, triggering a bounds checking error in QuickTime that may allow execution of arbitrary code. This issue impacts QuickTime on Windows and on Mac OS and there is proof-of-concept code publicly available.
If QuickTime is set as the default media player, Firefox will send the request directly to QuickTime. Mozilla is currently investigating this issue to identify ways to protect Firefox users.
More information is available in the CERT report.