In order to exploit this vulnerability, an attacker relies upon user participation. The attacker must convince a user to view a malicious document, likely delivered as an e-mail attachment or downloaded from a remote website. Attackers may use social engineering techniques in an attempt to convince the user that the document originates from a trusted source, possibly making users more likely to open a provided document.
If an exploit is successful, the attacker could execute arbitrary code with the privileges of the user. On systems that grant users elevated privileges, the attacker could execute code resulting in a complete system compromise. Systems such as Windows Vista or Windows 7 that contain built-in access controls, or systems that only allow users to run programs with limited privileges, are at less risk because any executed code would also run with limited privileges.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the November 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2009