Microsoft is dragging their heels on this one. There's a third party patch that takes care of the flaw now and it has been vetted by a number of sources.
This is a big problem. More information here:
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10th 2006 (next regular update cycle).
I just installed the patch, but make up your minds for yourselves.
R