To sum it up: Windows XP ships with the UPNP service running; with it running users can claim control of your system, including reading and accessing local files, or whatever else they feel like doing. It's an ugly one, and it can be done remotely, over the internet, by default. If like me, you've disabled UPNP, and/or are running a firewall, then you're safer, but it's still best to apply the patch anyways. Last I checked it wasn't available via Windows Update, and knowing Microsoft probably won't be for at least another week. I'd get it now.
Read eEye Digital Security's announcement of the hole
Microsoft issues patch for "serious" XP hole - CNET.com
Microsoft's advisory page, with patch download for XP/ME/98
Links borrowed from chumducky, heard about from all o'er the place.