Steve: I removed the patch from my system, and I could not get the exploit to trigger using a metafile that I created with my own code. It just, you know, it came back and said it could not play the metafile, but it wouldn't run any of my own code. So, you know, I scratched my head. I looked at, you know, at the other samples of malicious metafiles. And, you know, the way a metafile is built is there's a header, a set of bytes that's the header that talks about what version of Windows it's using, how large the whole metafile is, what the size of the largest metafile record contained within the metafile is, sort of gives Windows some orientation for the subsequent processing of these metafile records. Then you have a series of metafile records where each one starts out with a four-byte size of that record in words, then a two-byte function number which is what type of metafile record this is, then followed by between zero or however many data that function requires. So it's pretty straightforward. Well, it turned out that, first of all, the way this Escape function was working was it didn't strike me as, like, erroneous. That is, what this Escape/SETABORTPROC function does, the idea is that when an application is printing to the printer, it creates something called a Device Context. I've got to get a little bit tricky here with Windows terminology. But, you know, everyone will be able to follow along. It creates something called a Printer Device Context where things like the thickness of the pen, the color of the pen, the size of the paper, sort of all the things that are about the context of this printing page are stored. So once the application has a page ready, it turns it over to Windows and says, okay, here, go print this. And essentially it's done with that page, and it gets on about its business, for example, maybe getting the next page ready to hand over to Windows to print. The problem is, what if the user aborted that page, that is, aborted the printing of the page, after it had been handed over to Windows? Since the application that's doing the printing has already turned responsibility for the printing over to Windows, there's really no way for Windows to say, hey, oops, just want to let you know the user canceled your print job. So this SETABORTPROC is a means for giving that printer context, that printer device context, a subroutine that Windows can call back in the application. It's called a "callback," in fact, because Windows calls back the application to notify it if the user or something causes an abort of the print job. So, you know, that's what that is. It's well understood. It makes complete sense in a printer device context.