For those of you who haven’t heard, there is a very bad “zero-day” (8^]) exploit for Windows exploding in the malware world.
I’ve written a detailed explanation below, which comes from various sources, but primarily the latest Security Now podcast
Microsoft has no working fix for it yet but there is a third party fix:

Creators Site:
http://www.hexblog.com/index.html
Mirror:
http://www.grc.com/miscfiles/wmffix_hexblog14.exe

I suggest installing this as soon as possible. All versions of Windows from 95-XP (including NT and 2K) are affected by this exploit.
When Microsoft finally fixes this problem, you can uninstall this patch.

Exploit details:

Windows *.wmf files are a scripted image format similar to scalable vector graphics (*.svg). Unfortunately, these files do not need to be named with the .wmf extension for windows to execute them so any file on any web page or attachment or floating around in a worm may contain executable .wmf code.
The simple exploit takes advantage of a built in error function execution in .wmf files. If the .wmf file has an error (can’t be rendered for some reason–such as intentional poor coding), Windows will automatically execute whatever error function is built into that file. This function can contain any malicious code that the creator wishes and allows transparent installation of malware such as Trojans, spyware, key loggers, etc…

Patch Details:

The patch (http://www.hexblog.com/index.html) simply installs a .dll, which prevents the error function execution by removing it from the Windows metafile handler. It will not affect the system in any visible or functional way besides preventing this unnecessary feature.