At present time, the vulnerability was found to affect both a fully patched Windows XP SP3 and a Vista SP1 system:
“My colleague Xiaobo Chen and I investigated the incident […] The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll. […] The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.”
What’s worse (as expected) the details on the flaw as well as on how tu successfully exploit are already available on the web. So, until a full-proof patch comes along, just try to use a different browser. The recently-released Chrome, perhaps?