I thought you might want to see this. It's MS' take on the WMF vulnerability.
Either this was published before the full extent of the problem was known or Microsoft is intent on minimizing the impression of danger. (The former is more likely than the latter.) They are insistent that user interaction is a requirement for an exploit to be successful. This is now known to be untrue. An indexing program, such as a desktop search utility (ala Google's) can trigger the exploit. In my own tests, here, I triggered two of the known exploits by using a third-party thumnail generator, as well.
The Internet Storm Center at SANS has an FAQ on the problem. Note that IE users are at more risk than FireFox users, but only just. Almost everyone is vulnerable.
All we can do is to install the unofficial patch and wait for Microsoft to act decisively.