Update. Apparently Steve Gibson was a bit rash in his conclusions, so this is not true after all!
Compelling article on why the recent WMF exploit was very likely intentionally placed by Microsoft.
In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor.