What's Important

Microsoft released a Windows Explorer patch yesterday with a rating of important. The exploit is that under Windows 2000 using the web view (which is the default) if you click on a specially crafted file it will run code of the attackers choice.

Now to me that seems kind of critical. I guess its only rated Important because it requires user interaction. User must save the file to disk rather than opening the file directly as in an email attachment. Next they must open it in Windows Explorer.

You can see examples of an exploit file over at security focus.

http://www.securityfocus.com/data/vulnerabilities/exploits/copy.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/simple.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/rename.doc

I just found the page where Microsoft details how it defines vulnerability severity. For Microsoft, to be considered critical a vulnerability must not require user interaction.

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.