The flaw was discovered by a London security researcher Petko D. Petkovand posted on his blog gnucitizen. The same vulnerability had previously been divulged on the blog as early as December last year, but has not as yet been addressed. "So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack." Petkov wrote.
While the proof of concept published on the site effects Mozilla's chrome engine, the QuickTime flaw is cross browser, affecting versions of Internet Explorer too. "It works for IE as well, although the impact is less critical I must say. This is due to the tightened security policies IE implements for local zone scripts." Petkov responded in a comment.
Another researcher quickly pointed out on his blog that web surfers using the NoScript plugin for Firefox are protected from the chrome vulnerability allowing remote code execution, even if they have the originating site in their list of allowed domains.
The blog post publishing the flaw can be found here, however we advise you do not run any files contained within the post, as they are examples of exploiting the flaw.