WMF vulnerability patch and more good news
An unofficial patch has been written by programmer Ilfak Guilfanov. It works in my tests. Get it here. Uninstall it before installing the Microsoft patch due on January 10. There's is also a vulnerability checker here. Guilfanov's blog must be getting heavy traffic -- the pages are not opening for me now. You can also download the patch at SANS. SANS also has a WMF FAQ.
Initially it was thought that all versions of Windows are vulnerable. Now several sources are saying that older versions are not vulnerable after all. See Larry Seltzer's blog here.
I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.
Microsoft announced today the official patch is slated to be released on January 10.
In the meantime, I highly recommend installing the patch from Guilfanov.