An attacker cannot directly exploit this vulnerability and instead must rely upon user interaction in order to accomplish an exploit. The attacker must convince the user to open a malicious document on the vulnerable system. The attacker may send documents to users via e-mail messages or post documents on public websites. Attackers may use social engineering techniques in an attempt to convince a user to open a provided document.
If an exploit is successful, the attacker could execute arbitrary code with the privileges of the user. Systems that restrict user privileges may have little impact in the event of an exploit, as any code execution would occur with limited privileges. However, on systems that grant users elevated privileges, the attacker could completely compromise the system, as any executed code may run in a privileged security context.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the November 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2009