Calling VariantClear on a OUT param can lead to security hole !!!

There was a mail thread going on internally where a security hole was suspected due to VarianltClear() being called inside a method on a out param. Since i am new to COM world, I asked my fellow MSFTian Paul Dempsey that how can it be possible. Here is what he told me...

When passing into an OUT parameter, since this variable is receiving a value there is no requirement to initialize it. If the method calls VariantClear on an uninitialized variant, then what happens depends on the exact pattern of bits in that piece of memory. If the vt part is not a valid variant type, nothing happens. If it is 9 (a Unicode TAB character and also VT_DISPATCH), VariantClear calls Release on the pointer in the variant. This will usually be some invalid address and the application crashes, but if an attacker arranges for the right bits to be in the memory that the variant comes from, he can cause code of his choice to run, yielding elevation of privilege if the code is running in elevated mode.

I though that this information could be useful for COM Beginners so just shared here :).