When InstallVersion.compareTo() is passed an object rather than a string
it assumed the object was another InstallVersion without verifying it.
When passed a different kind of object the browser would generally
passed on some OS versions to get control over the instruction pointer.
We assume this could be developed further to run arbitrary machine code
if the attacker can get exploit code loaded at a predictable address.(2005-12-14) Aviv Raff has posted a proof of concept
exploit of this flaw that demonstrates execution of attacker-supplied
code on windows.