Credit: VUPEN
At CanSecWest last March, VUPEN dropped their exploit for an integer overflow in array resizing of a Vector Markup Language (VML) element property. Do not be fooled by the version of this exploit in Metasploit that uses heap sprays and Java to bypass DEP and ASLR. VUPEN’s exploit needed neither before gaining code execution in IE10 on Windows 8.