The fundamental problem is that under certain circumstances some versions of Windows will execute a program embedded in the WMF data file format. This is something that sound programming practice strongly forbids, and it led to a very dangerous vulnerability in Windows when evil hackers discovered how to exploit it.
Gibson now has a free test program to determine if a machine is vulnerable. He has confirmed that Windows 98 and Windows 95 systems are not vulnerable to this exploit. They simply will not execute the WMF code period. Certain versions of NT are vulnerable and will not be patched by Microsoft. Patches have been issued by Microsoft for the newer versions of Windows and even for Vista, the not-yet released version, all of which are subject to this,
There's really no question that the setabortproc() procedure that allows WMFs to offer up code to Windows for processing was deliberately introduced. It was, and it was there before Win 95.. This is not a "buffer overrun" issue or a bug. It's a "feature." There's really no convincing explanation for why this vulnerability was introduced, intentionally or not, with the later versions of Windows. It's unlikely we'll ever know why it happened. It could be that even Microsoft does not know why it was done, since it was an undocumented "feature."