The 2010 Pwnie Nominee For Best Client-Side Bug

Windows Help Center escape sequence vulnerability (CVE-2010-1885)

Credit: Tavis Ormandy

This vulnerability caused a lot of trouble for Tavis when he posted it to the Full-Disclosure mailing list, but even the most ardent supporters of responsible disclosure have to agree that the exploitation method for it is very impressive. To achieve silent code execution, Tavis chained together a URL escaping bug in helpctr.exe, a cross-site scripting bug in a system HTML file, an IE-specific script attribute and an iframe in an ASX file displayed by Windows Media Player.