The vulnerability is very critical in the sense that the user does not need to do anything, except view the image. This can be viewed either in a email or via a browser. Microsoft refused to depart from its monthly patch-release schedule to release an express patch. This gives a cosy 10-day window for the vulnerability to wreck its way worldwide.
Meanwhile Ilfak rose to the occasion and posted an unofficial patch on this website. His site was down earlier due to humongous load (‘half the planet is downloading WMFFIX_HEXBLOG14.exe’), but is back now. The patch has also been mirrored by a number of sites including, GRC.com, Sunbelt Software, Antisource. F-Secure and Internet Storm Center (SANS) recommended that customers use Ilfak’s patches while Microsoft puts its patch together.
Update: Microsoft has released a patch – it is being automatically applied to machines (Win XP SP2 atleast) with Automatic Updates enabled.
Keywords: WMF, Vulnerability, Microsoft, Ilfak Guilfanov, Patch, WMFFIX_HEXBLOG, WMFFIX_HEXBLOG14, GRC.com, Window, Patch Schedule, F-Secure, Internet Storm Center, SANS, FAQ, Securiteam, Advisory