A possible page fault in gdi32!CreateBrushIndirect which is caused by an invalid pointer access, this is what an email to the Full-Disclosure mailing stated. Inlcuded also in this mail is a PoC for this new WMF vulnerability. According to my testing, it did indeed crash explorer and rendered my WinXP SP2 machine useless even for a while although no malware has been seen using this, Trend Micro is now studying what possible solutions it can offer clients to protect them from this.