Uninitilized memory call on Window() function within OnLoad handler of BODY tag allows code execution.
vulners.com/securityvulns/securityvulns:doc:10294