We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.
Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.
Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:
http:// sipr.net / test.wmf (Remove spaces in URL)
A really good WMF exploit FAQ is here: