It appears that the severity of the new vulnerability found in Windows Media Player's plug-in for non-IE browsers was downplayed by Microsoft.

According to iDefense's advisory: "Due to unicode translations, shellcode characters are somewhat limited to character code values below 0×80". So, my assumption was that MS ranked this vulnerability with 'Important' severity instead of 'Critical' because of the un-feasibility of injecting a usefully shell-code.

Well, I guess I was wrong. Alphanumeric shell codes can be used, and also SkyLined heap spraying method. Both Proof-of-Concepts were demonstrated by H D Moore and Matthew Murphy.

Back to the books...

A week ago, Mozilla Foundation released a new security update which included 8 advisories.
4 of the advisories were rated with 'Moderate' severity. At least 3 of them, IMHO, are exploitable for remote code execution with no user interaction.

Today, HD Moore, the author of Metasploit, published a remote code execution exploit for one of the 'Moderate' severity rated vulnerabilities.

This again shows you that Mozilla Foundation are not learning from past mistakes and are still downplaying vulnerabilities.

My guess is that they are waiting for an exploit in the wild before they are going to rate any exploitable memory corruption vulnerability as 'Critical'.