Several web sites have been reporting a security vulnerability in Windows XP and Server 2003 based on the the way Microsoft Help Center handles escape sequences. The technical details are described here:
http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html
Word from the Microsoft Security Response Center (MSRC) is that the vulnerability has not been exploited “in the wild” but proof of concept code has been publicly published. Vista, Windows 7 and Server 2008/2008 R2 are not at risk. Mitigating factors and workarounds are described in Microsoft Security Advisory 2219475:
http://www.microsoft.com/technet/security/advisory/2219475.mspx
Meanwhile, the Google engineer who made details of the vulnerability and how to exploit it public only five days after informing Microsoft, and before they had a chance to issue a patch, has been criticized in several circles:
http://news.cnet.com/8301-27080_3-20007421-245.html?part=rss&subj=news&tag=2547-1_3-0-20