The exploit was demonstrated on a fully-patched Mac OS 10.4.9 system running Apple's Safari browser.
"You can steal cookies, you can steal browser cache, you can install malware. It is definitely serious," said independent security researcher Tom Ferris.
Users can defend against the vulnerability by disabling Java within the browser or by removing the QTJava.jar extension.
Dai Zovi wrote the exploit for a contest at the CanSecWest conference in which researchers were challenged to break into a pair of fully-patched MacBook Pro laptops.
The process of finding the vulnerability and writing the attack took Dai Zovi just nine hours.
"I began looking for a browser-based vulnerability around 10pm on Thursday night, had found one by around 3am, and had written a reliably working exploit by 7am," he told vnunet.com in an email interview.
As part of the contract for collecting the reward, Dai Zovi agreed to hand over the handling and development rights to the vulnerability to Tipping Point.
The company then immediately contacted Apple to report the flaw and added a fix to its own security software.
Apple did not return a request for comment. The company has a policy of not confirming or discussing vulnerabilities until after a fix has been issued.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software