Jonathan from the Microsoft Security Response Center (MSRC) has some more info on MS07-049 which addresses a vulnerability in Virtual PC and Virtual Server.  It’s interesting reading and an edited snippet is below:

We stated in the bulletin that malicious code that runs inside a virtual machine can take complete control of the host system and that’s true. However, there are different degrees of “complete control.” For example, “Virtual Server” is the affected service in the case of a Virtual Server 2005 compromise. This service runs in the security context NetworkService. Anytime malicious code runs on your system, it is bad news, but it is pretty hard to escalate from NetworkService to LocalSystem when you’re running with fully-updated Windows Server 2003.

Unlike Virtual Server, Virtual PC runs as whichever user launches Virtual PC. It does work fine when run as a non-admin, so if you’re running malicious code inside the virtualization environment, we’d highly encourage you to run [virtual pc/server] as a non-admin user [on the host] to reduce the impact of this class of vulnerability.