Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.

Source:

This flaw exploits the Windows Graphics Rendering Engine and is reported to affect Internet Explorer, Outlook, and Outlook Express, as well as Firefox and Opera.

editorial aside: Since it is has suggested by an e-peep or two that the "Lib" media can not be trusted, I'm certain that all you Windows users have nothing to worry about since the Washington Post is reporting this. ;-)

Another source of information about this flaw is that purveyor of "Trustworthy Computing" -- Microsoft.

Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user.

A possible workaround has been reported a word of warning: improperly changing the .dll settings of a computer can cause serious problems.

* Click on Start > Run.
* Type:
regsvr32 /u shimgvw.dll
* Click OK
* Click OK again when the dialog appears.

Note that this can have an effect on the display of some thumbnails in Windows.

Addendum: to reregister (undo the workaround) the .dll use this command: regsvr32 shimgvw.dll