Hi Larry,

it is interesting to me how many people (and I do not refer to you) are writing something but not really reading the reliable sources, which have insights. Again, I am not referring to you – I just got a lot (and I really mean a lot) of questions around this vulnerability and most of it referred to some sources which I doubt whether they looked into the details.

I appreciate your comment as it seems that your source caused some misconceptions. I you go to the MSRC blog (Microsoft Security Response Center) which is responsible for running the process around security vulnerabilities and look at their post (Microsoft out-of-band Security Bulletin (MS08-067) Webcast Q&A ) I would like to quote:

"Q: On Windows Vista, if User Access Control (UAC) has been disabled, should this be considered critical instead of important?

A: If the UAC prompting is disabled, the integrity levels foundational work still works to require authentication.  The Security Vulnerability Research & Defense blog has a LOT more information about this.  It is still important though…Protections afforded by UAC enhancements are in place even if the UAC prompting has been disabled."  

Additionally the SWI blog (referenced above) gives you some additional – really deep – background on the vulnerability.

"UAC mitigates even when the prompting is disabled

As mentioned above, Windows Vista and Windows Server 2008 by default require authentication. But the security callback on the RPC interface has not been changed on the more recent platforms. Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level "Untrusted" while the named pipe requires at least a "Low" integrity level. Since "Untrusted" is lower than "Low" integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously. See http://msdn.microsoft.com/en-us/library/bb625963.aspx for more information.

There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because "Medium" integrity level is a higher integrity level than "Low", the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section. "

Last but not least, DEP was already part of Windows XP SP2 – even though disabled by a lot of OEMs.

Does this help? Again, I did by far not want to insult you. I just do not like all the speculations which are not based on technical knowledge and analysis – not even sound investigation (like the link above)

Any comment from your side is more than appreciatedè!

Roger