The situation

Is any real-world malware targeting this hole? Like rust, exploit writers never sleep, or even slow down enough to be counted. Close to 100 known exploits have been noted on the CastleCops.com discussion board, and antivirus firm Sophos reported over 200 attack methods thus far.

How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. That program is believed to have been used in the first wave of exploits.

What's the launch sequence? When a user clicks on a WMF file, the application calls the shimgvw.dll library, which in turn can call the Escape() function in the gdi32.dll library. Escape() has a subfunction called SETABORTPROC, which lets users cancel a print job during spooling from within various applications. The exploit targets SETABORTPROC. It causes a buffer overflow and thus allows the targeted computer to run malicious code in the WMF file, whatever it may be.

What do those DLLs and functions do?