A group called "Computer Terrorism" has released a Proof-of-Concept exploit for an unpatched Microsoft Internet Explorer vulnerability. The exploit allows remote code execution on most Windows systems including XP sp2. This vulnerability can e.g. be exploited if a user visits a web site controlled by the attacker.
Apparently Microsoft was informed about this bug in May. Earlier it was seen as a denial-of-service vulnerability. MS has not released a patch yet but a Security Advisory on the issue is available.