Attacks involving browser exploits typically require user interaction. An attacker must convince a user to visit a malicious web site, usually by providing a user a link to the malicious web site. Attackers may use social engineering techniques to convince users to follow provided links. If successful, the attacker could cause the user's browser session to terminate or execute arbitrary code with the privileges of the user. If the user holds Administrator privileges, the attacker could execute code to complete system compromise.
Systems that restrict user privileges, or systems with built-in controls that restrict user privileges in applications such as Windows Vista, may have lowered impact in the case of an exploit. While an attacker could gain access to user files in this instance, the overall impact to a vulnerable system would likely be low.
Windows Server 2003 systems running Internet Explorer are also at a reduced risk due to the Enhanced Security Configuration mode. This mode sets the Internet security level to high by default, reducing the impact for web pages that are not yet included in the trusted sites zone.
Microsoft has resolved this vulnerability by implementing improved error handling when an attempt to access an invalid object occurs.