According to Apple, the problem revolved around the QuickTime Media Links (QTLs):
“A command injection issue exists in QuickTime’s handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X.”
The average user could be easily tricked into launching such malware, as he would consider them to be legitimate movie or music files. The difference is that, when clicked, they won’t play anything, but instead have JavaScript code to run with the privileges of the current user.
The security update for QuickTime 7.2 can be downloaded from here.