Loading a Flash file from a different domain inside an iframe — where the Flash called GetURL with a javascript: target — and then reloading the main page twice caused an exploitable crash in IE8. The crash was classified as EXPLOITABLE by the debugger extension.

<iframe src="http://otherdomain.com/geturl.swf?METHOD=get&TARGET=_parent&REDIR=javascript:void(1);//" width="200" height="50"></iframe>
<input type="button" value="Reload" onclick="location.reload()" />

The fault was a DEP violation at an address on the heap, with the instruction pointer landing in a freed block — a strong indicator of use-after-free. The call chain passed through mshtml!CElement::Doc during a window proxy security check triggered by the page refresh.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.