The popular Directshow plugin that may people use to support video playback has a flaw that Microsoft warns could be used to execute arbitrary code.
The opening relies on malformed Quick Time video files (seems to be a common thread there) and can allow for remote execution of code at the logged in users level of access.
There is no direct fix for this but MS has released a registry patch to help prevent this from being exploited. The issue does not affect Vista or Windows 7.
Read more here.
Grab the Reg fix here.
In a statement, the Vole said that the attacks use malicious Quicktime media files and can cause remote code execution in the context of the logged-in user.
There is no patch for the vulnerability yet, but Microsoft has created a workaround registry script that you can download and run, at the Knowledge Base Article 971778.