In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site. Attackers may provide links within e-mail messages or post links on public web sites. If the user follows the provided link, the attacker could cause the affected application to close or execute arbitrary code with the privileges of the user. If the user holds Administrator privileges, the attacker could execute arbitrary code, resulting in the complete compromise of the affected system.
Systems on which administrators have deployed anti-intrusion measures, such as reduced-privilege user accounts and host-based intrusion detection systems, are at a reduced risk. User education can also play a significant role in preventing exploitation. In addition, Windows Vista systems are less likely to be affected due to the default restrictions placed on both user and administrative accounts. Windows Server 2003 systems running Internet Explorer are also at a reduced risk for exploitation due to the Enhanced Security Configuration mode. The Enhanced Security Configuration mode sets the Internet security level to high by default, reducing the impact for web pages that are not yet included in the trusted sites zone.
Microsoft has resolved this vulnerability by improving the handling of errors that may occur when performing memory operations.