Microsoft Internet Explorer 6 SP2 and earlier allows remote attackers to cause a denial of service (crash) via certain malformed HTML, possibly involving applet and base tags without required arguments, which triggers a null pointer dereference in mshtml.dll.
https://exchange.xforce.ibmcloud.com/vulnerabilities/26808
http://www.securityfocus.com/bid/18112
http://www.securityfocus.com/archive/1/435129/30/4710/threaded
http://www.securityfocus.com/archive/1/435095/30/4710/threaded