quick (and possibly false) analysis of #MS11-083: The bug is in the ippRateLimitICMP function, >vista returns icmp error messages for connection attempts to closed ports. but limits them to slow down portscan attempts. if you send enough udp packets to reach the limit, an error condition gets raised but the old version missed a call to IppDereferenceLocalAddress. which results in the infamous refcount overflow. :) somebody with more time should look into the exact structure layout. the bug is definitely interesting!