Credit: Tavis Ormandy
This vulnerability caused a lot of trouble for Tavis when he posted it to the Full-Disclosure mailing list, but even the most ardent supporters of responsible disclosure have to agree that the exploitation method for it is very impressive. To achieve silent code execution, Tavis chained together a URL escaping bug in helpctr.exe, a cross-site scripting bug in a system HTML file, an IE-specific script attribute and an iframe in an ASX file displayed by Windows Media Player.