Microsoft delivered its biggest patch release in five years yesterday, but this has been overshadowed by a newly discovered zero day hole in Internet Explorer that went unpatched. The exploit, first seen in China and other parts of Asia, targets Internet Explorer 7 on Windows XP and 2003 using malformed XML tags to take control of the system.

Specifically, the exploit creates an XML tag, waits 6 seconds in an attempt to thwart antivirus engines, then crashes the browser and runs malicious code when it is restarted. According to Symantec, the attack still requires some JavaScript in order to achieve code execution, so blocking JavaScript for un-trusted websites could help mitigate the risk.

Additionally, the zero day exploit has been joined by another one involving a memory problem in Microsoft SQL Server 2000 and a third vulnerability that appears to affect the WordPad Text Converter for Word 97. Microsoft says it is investigating the matter.