USSD codes are those codes that you type into your handset, and "dial" in order to display certain information (such as *#06# which is used to display a phone's IMEI number). A USSD code can also be used to wipe a device. That's where the issue on Android comes into play.
In Android's case, using a USSD with the tel: URL prefix can cause the phone's dialer to call that number. If the USSD is a harmful code, like to wipe the device ... well, you get the picture. It can be embedded in a web page or link.
According to Reeve, Samsung has known about the flaw for months and has corrected the issue in its latest 4.0.4 build. It's unclear what the exact build version for that would be. Since others say that Jelly Bean builds don't have the issue, and since the GS3 is starting to get that rolled to them, the vulnerability could be patched - at least on their handsets - soon.
Reeve also indicated that the issue is not isolated to Samsung phones.
There's another fix, too. Since Android allows alternative dialer to be installed, an end user could install a different one, without a vulnerability. Dialer One was cited as an app in Google Play that did not have the issue.
There are probably more, but at the very least users can rely on that one app.
The embedded video shows the vulnerability demonstrated, at about 9 and a half minutes into the video.