<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" />
document.foo advertises no property or method that is not available from an object with no classid.
For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.