Dragging selected text from one input box to another crashes the browser when document.open() is called in the ondragstart handler. The crash reproduced on IE10 Win8 with UNKNOWN exploitability.

<input ondragstart="document.open()" value="DRAG ME TO THE INPUTBOX BELOW" />
<input />

The WinDBG session showed a null class pointer read in MSHTML!CSelectTracker::DoTimerDrag. Tested on IE10 / IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.