This bug has been snug for seventeen years rolled up into the Windows kernel. Another example of Microsoft incompetence? All hell could break loose, but they claim a password would still be needed to make this an exploit.