The vulnerability was one of two identified by exploit expert Petko D. Petkov in September, 2006. Apple patched one, let the other slide.
Petkov's year's worth of frustration led him to post proof-of-concept code showing just how problematic the vulnerability can be. That code, some feel, will get turned into actual exploits quickly.
Irony is that earlier this year Apple got high marks for fast-fixing a QuickTime vulnerability that, admittedly, was higher risk with a much broader potential target base.
That's not the point -- or maybe it is. The size of the target base is a consideration factor to a company that has to devote resources to patching a hole. Shouldn't be, but it is.
But to anyone running Firefox with QuickTime as its default media player, the target base is a party of one: themselves. Patch this problem, Apple!
Mozilla is making noise about the seriousness of the Firefox/QuickTime problem, which so far appears to affect only Firefox for Windows.
Mozilla's also got a tech-blog on the vulnerability here.