With fix-it installed: 
0:031> vertarget
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.18015 (win7sp1_gdr.121129-1432)
Machine Name:
Debug session time: Tue Sep 17 11:21:59.108 2013 (GMT-7)
System Uptime: 1 days 22:35:07.458
Process Uptime: 0 days 0:08:19.521
  Kernel time: 0 days 0:00:01.500
  User time: 0 days 0:00:00.984

0:031> !lmi mshtml
Loaded Module Info: [mshtml] 
         Module: MSHTML
   Base Address: 658c0000
     Image Name: C:\Windows\system32\MSHTML.dll
   Machine Type: 332 (I386)
     Time Stamp: 51f8e679 Wed Jul 31 03:27:05 2013
           Size: bc9000
       CheckSum: bca41d
Characteristics: 2102  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    23, aaf5e8,  aae9e8 RSDS - GUID: {61E17C08-EBE2-4179-922D-C71D61F79FE7}
               Age: 2, Pdb: mshtml.pdb
                CLSID     4, aaf5e4,  aae9e4 [Data not mapped]
     Image Type: FILE     - Image read successfully from debugger.
                 C:\Windows\system32\MSHTML.dll
    Symbol Type: PDB      - Symbols loaded successfully from symbol server.
                 c:\users\ivan\symbols\mshtml.pdb\61E17C08EBE24179922DC71D61F79FE72\mshtml.pdb
    Load Report: public symbols , not source indexed 
                 c:\users\ivan\symbols\mshtml.pdb\61E17C08EBE24179922DC71D61F79FE72\mshtml.pdb


0:031> .sympath  srv*c:\users\ivan\symbols*http://msdl.microsoft.com/download/symbols;c:\windows\system32
Symbol search path is: srv*c:\users\ivan\symbols*http://msdl.microsoft.com/download/symbols;c:\windows\system32
Expanded Symbol search path is: srv*c:\users\ivan\symbols*http://msdl.microsoft.com/download/symbols;c:\windows\system32

; Find differences in mshtml module
0:031> !chkimg -d mshtml
    65cf689a-65cf689c  3 bytes - MSHTML!CDoc::SetMouseCapture+27
	[ 5a 00 04:6d 8d 67 ]
3 errors : mshtml (65cf689a-65cf689c)

0:031> u MSHTML!CDoc::SetMouseCapture l 20
MSHTML!CDoc::SetMouseCapture:
65cf6871 8bff            mov     edi,edi
65cf6873 55              push    ebp
65cf6874 8bec            mov     ebp,esp
65cf6876 81eca0000000    sub     esp,0A0h
65cf687c 53              push    ebx
65cf687d 8b5d08          mov     ebx,dword ptr [ebp+8]
65cf6880 56              push    esi
65cf6881 57              push    edi
65cf6882 8bf9            mov     edi,ecx
65cf6884 f7879807000000100000 test dword ptr [edi+798h],1000h
65cf688e 8bf0            mov     esi,eax
65cf6890 0f855b000400    jne     MSHTML!CDoc::SetMouseCapture+0x21 (65d368f1)
65cf6896 85db            test    ebx,ebx
65cf6898 0f856d8d6700    jne     MSHTML!_NULL_IMPORT_DESCRIPTOR+0x420b (6636f60b) ; wtf ?
65cf689e 53              push    ebx
65cf689f e88d2affff      call    MSHTML!CDoc::ClearMouseCapture (65ce9331)
65cf68a4 5f              pop     edi
65cf68a5 5e              pop     esi
65cf68a6 5b              pop     ebx
65cf68a7 c9              leave
65cf68a8 c21400          ret     14h

0:031> !address 6636f60b
 ProcessParametrs 001c9808 in range 001c9000 001ca000
 Environment 029ae650 in range 029ae000 029af000
    658c0000 : 658c1000 - 00ab9000
                    Type     01000000 MEM_IMAGE
                    Protect  00000020 PAGE_EXECUTE_READ
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageImage
                    FullPath C:\Windows\system32\MSHTML.dll

; code added into mshtml .text section
0:031> u 6636f60b
MSHTML!_NULL_IMPORT_DESCRIPTOR+0x420b:
6636f60b 66f743260100    test    word ptr [ebx+26h],1 ; Test a word member at offset +0x26 in Arg0 argument (flags?)
6636f611 0f848d7298ff    je      MSHTML!CDoc::SetMouseCapture+0x227 (65cf68a4) ; if set ragequit
6636f617 e9dc729cff      jmp     MSHTML!CDoc::SetMouseCapture+0x32 (65d368f8) ; if no present, back to normal 
6636f61c 0000            add     byte ptr [eax],al

; epilogue
0:031> u 65cf68a4
MSHTML!CDoc::SetMouseCapture+0x227:
65cf68a4 5f              pop     edi
65cf68a5 5e              pop     esi
65cf68a6 5b              pop     ebx
65cf68a7 c9              leave


Looks like this WORD belongs to a HtmlLayout::TextBlock::TextBlock class because references show manipulations
of flags type field only in this type of objects. 
See HtmlLayout::TextBlockBuilder::BuildTextBlock and "or word ptr [eax+26h], 1" instruction.
I don't know what's the meaning of this flag and I don't know how this code update could prevent an UAF.
Warning : I could be totally wrong (kthx)


Original mshtml code is: 

0:089> u mshtml!cdoc::setmousecapture l 20
MSHTML!CDoc::SetMouseCapture:
6ddb6871 8bff            mov     edi,edi
6ddb6873 55              push    ebp
6ddb6874 8bec            mov     ebp,esp
6ddb6876 81eca0000000    sub     esp,0A0h
6ddb687c 53              push    ebx
6ddb687d 8b5d08          mov     ebx,dword ptr [ebp+8]
6ddb6880 56              push    esi
6ddb6881 57              push    edi
6ddb6882 8bf9            mov     edi,ecx
6ddb6884 f7879807000000100000 test dword ptr [edi+798h],1000h
6ddb688e 8bf0            mov     esi,eax
6ddb6890 0f855b000400    jne     MSHTML!CDoc::SetMouseCapture+0x21 (6ddf68f1)
6ddb6896 85db            test    ebx,ebx
6ddb6898 0f855a000400    jne     MSHTML!CDoc::SetMouseCapture+0x32 (6ddf68f8) ; jne detoured by shim
6ddb689e 53              push    ebx
6ddb689f e88d2affff      call    MSHTML!CDoc::ClearMouseCapture (6dda9331)
6ddb68a4 5f              pop     edi
6ddb68a5 5e              pop     esi
6ddb68a6 5b              pop     ebx
6ddb68a7 c9              leave