Attackers rely on user interaction to exploit this vulnerability and must convince a user to visit a malicious website. Attackers may provide a link to a user in an e-mail message or on a website. If the user follows the link, the attacker could cause Internet Explorer to terminate or execute arbitrary code with the privileges of the user.
Microsoft rates this vulnerability as Critical for systems running Internet Explorer on Windows XP or Windows Vista. Microsoft rates the vulnerability as Moderate for systems running Internet Explorer on Windows Server 2003 or Windows Server 2008. Regardless of browser security configuration, this vulnerability could be exploited to execute arbitrary code with the privileges of the user. If that user holds Administrator privileges, the attacker could execute arbitrary code resulting in a complete system compromise.
Systems on which administrators have deployed anti-intrusion measures, such as reduced-privilege user accounts and host-based intrusion detection systems, are at a reduced risk. User education can also play a significant role in preventing exploitation. In addition, Windows Vista systems are likely to be affected to a lesser degree due to the default restrictions placed on user accounts.
Event data from Cisco Remote Management Services indicates reduced intrusion prevention system signature activity that is related to this vulnerability. Data captured on March 12, 2009 could indicate decreased attempts to exploit the vulnerability.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the February 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for February 2009
Microsoft has resolved this vulnerability by implementing improved error handling when an attempt to access an uninitialized or previously deleted object occurs.
Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. The processing of malicious XML in Microsoft Word could trigger an exploit because the document could reference the vulnerable Internet Explorer mshtml.dll component. Exploits have been observed in which attackers are building Word documents using XML constructs, saving them as .doc files, and delivering them via e-mail or hosting the malicious document on websites. Several AV vendors are reporting the activity. An attacker must still convince a user to view a Word document, likely by employing social engineering techniques, but users may be more likely to open a Word document because it is often perceived as a safe file type. The method of exploitation may allow attackers to bypass some mitigations and achieve an exploit outside the Internet Explorer application.