Calling document.execCommand("EditMode") from inside an HTC behavior file crashed IE11 with a null read in MSHTML!COmWindowProxy::Markup. Classified PROBABLY_NOT_EXPLOITABLE.

behavior.htc:

<script>document.execCommand("EditMode");</script>
<script>
function main()
{
	document.body.style.behavior = "url(behavior.htc)";
}
</script>

When the HTC script ran execCommand("EditMode"), MSHTML’s COmWindowProxy::Markup tried to dereference ecx (the window proxy’s markup pointer), which was null at that point in the behavior attachment lifecycle. The HTC was being activated before the window proxy’s markup reference was fully established.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.