There are both open-source and closed-source approaches on display here. The closed source process is passive, the open source process is active.
Microsoft is taking the closed-source approach. It won't have a fix for any of this until it has a fix, and then the fix will be pushed out. This leads to speculation that the .WMF format, which dates from 1990, is irretrievably broken and must be abandoned right now.
Most anti-viral firms are also taking a closed-source approach. They're dealing with exploits, updating their products, and keeping quiet about things. My own anti-viral is currently showing no alerts related to .wmf.
Then there is the open source approach. It's a bit messy, but in about a half-hour of clicking this is what I found.
Ilfak Guilfanov (above), a Russian-trained security expert now working in Belgium for Data Rescue (and best known for his IDA Pro Debugger), wrote a fix, which he described on his Hexblog. My recent attempts to visit either of the above locations, however, were hit by 403 errors -- they've been slammed by traffic and closed off to the great unwashed.
So it's off to Plan B.
Plan B starts with Softprose, in Clifton, NJ, which has been active spreading word of the vulnerability, and possible short-term fixes. Both on their own site and on security boards like AOTA.Net, they suggest a number of approaches. But their words have been criticized as being, well, wordy. Matt Cutts offers a simple fix, which disables the DLL being exploited and suggests you switch to a Washington State program, Paint.Net, for your image rendering.
If you're interested in the active approach, please go for it, and let the rest of us know in the comments what you find.
So you have two ways to go. You can passively await a fix from your closed source vendor to fix your problem, or click around the open Internet and get yourself a quick fix. There are no guarantees in the open source approach, as always your mileage will vary, but at least you'll be doing something.