What exactly is going wrong with the WMF vulnerability?
Turns out this is not really a bug, it's just bad design. Design from another era.
When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.
The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction.
This function was designed to be called by Windows if a print job needed to be canceled during spooling.
This really means two things: 1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc 2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!
"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.