Adobe have released a patch to Flash fix "critical vulnerabilities" that have been identified in Flash Player 8.0.24.0 and earlier versions, including the version using in Apple's QuickTime. It is possible for an attacker who successfully exploits these vulnerabilities to take control of the affected system if:

• A malicious SWF file is loaded to the Flash Player by the user.
  

Do not load Flash files from uncertain sources, including those email links you get at home and the office!

Adobe recommends that everyone upgrade to the newest version 9.0.16.0.

• Viewing a maliciously-crafted H.264 movie may lead to an application crash or arbitrary code execution
• Viewing a maliciously-crafted QuickTime movie may lead to an application crash or arbitrary code execution
• Viewing a maliciously-crafted FLC movie may lead to an application crash or arbitrary code execution
• Viewing a maliciously-crafted FlashPix may lead to an application crash or arbitrary code execution
• Viewing a maliciously-crafted SGI image may lead to an application crash or arbitrary code execution

Apple recommends all users of QuickTime upgrade to version 7.1.3. All these vulnerabilities are corrected in 7.1.3.

However

The version of Flash that ships in QuickTime is older than the version available from Adobe and used in Safari, therefore, while we still ship Flash with QuickTime, it is turned off by default. The means that most interactive QuickTime material on the Internet will display with a gray or blank screen, without any warning to the user. Even if the user looks at the track properties there is no indication that there is even a Flash Track to enable.

It is possible to go to QuickTime Preferences > Advanced and enable Flash there, but if you're in the QuickTime authoring business, this will be a tech support nightmare.