MOVB-10 Bug or security flaw?

[ MOVB is back on track ... time to finish up, before Vista SP1 being out! ]

An interesting bug from Microsoft Knowledge Base 945438:

Consider the following scenario:

• On a computer that is running Windows Vista, you use Microsoft Office PowerPoint 2007 to record audio, or you use another application to record audio.
• The application calls the acmFormatChoose function to display a dialog box so that you can select the waveform-audio format.

In this scenario, the application crashes.

What is more interesting is the logic behind this bug:

The acmFormatChoose function tries to free a pointer that was not allocated.

Bug or security flaw? Given Vista heap protections, this one might be hard to exploit, even locally. But who dares to say impossible, when it comes to bug exploitation?