This Metasploit module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.
aaf1f1bff58af8d0e890f965766d5618a2de8a76a4a4edc1da853071f2054364