This was an EXPLOITABLE-rated crash in IE8. An HTML Object element contained an inner document with its own IFrame, and caching a reference to the nested window’s open method before destroying the outer object left a dangling function pointer that, when called, caused a memory corruption.

cachedOpen = oHtml.object.parentWindow[0].open;
oHtml.object.parentWindow.location.href = "about:blank";
oWindow = cachedOpen("html_inside_object.html", "_top");
oHtml.outerHTML = "Object Destroyed!";
oWindow.alert(longString);

The crash occurred in MSHTML!CDoc::Open after the outer HTML Object had been replaced. WinDBG classified it as EXPLOITABLE — data from the faulting address directly controlled code flow. The nesting of objects-within-objects created a reference-counting scenario that the engine did not handle safely.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.