HTML_EXPDROP.II then loads the malicious Moh2010.swf (SWF_DROPPR.II, SWF_DROPPR.IJ, SWF_DROPPR.IK or SWF_DROPPR.IL)
The CMshtmlEd::Exec method then tries to access the freed heap memory of the CmshtmlEd object. Calling the CMshtmlEd::Exec method leads to an exception error, which then leads to arbitrary code execution. (This is the "use" part in the "use-after-free" vulnerability.)