A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile.
Patch this now. There is already one verified worm in the wild that takes advantage of this, and more are undoubtedly on the way. This is literally a "view a web page with a bad image on it, and your computer is owned" exploit, so your firewall and such do not protect you one whit. Do not wait; patch it. Until MS bestirs itself to fix the problem, use Ilfak Guilfanov's patch. (Note: Bastard spammers are now apparently churning out many fake "patches" for this problem that do not fix it, but instead just install spyware and popup loaders on your system. So either install Guilfanov's patch, or do not install any patch at all.)
Edit: A tool to check if your system is vulnerable here. Thanks to cassandrapoe.
Edit 2: Also check out spiderfarmer's post on the subject, which includes a link to an excellent Wikipedia page on the vulnerability.