As the great Israeli comedians group, "Hagashash Hachiver", was known to say: "So... What did we have so far?"
One critical vulnerability in Windows' Graphics Rendering Engine. Over 200 known viruses exploiting this vulnerability. At least 3 "generations" of the Metasploit Proof-of-Concept code. Two third-party unofficial patches. One leaked "beta" patch, and one official patch, released 5 days earlier.
And all this in a week or so. Wow! What a great opening for 2006.
According to the Microsoft's security bulletin, and some other sources (haven't bindiff it myself yet...), the patch only forbids the Escape's code execution functionality, if it was called by the WMF rendering engine. But, is it enough?
A quick scan through my %windir%\system32 shows that over 20 DLL files are importing the problematic Escape function.
A better solution by Microsoft would be to forbid the SetAbortProc functionality, as they probably already did in the 64bit version of Windows XP.
I can only hope that they'll provide a better fix, before someone else exploits this design flaw.