Windows Bug Class: Accessing Trapped COM Objects with IDispatch

James Forshaw (Google Project Zero) analyzes a class of COM/.NET remoting vulnerabilities he calls "trapped object" bugs and demonstrates a proof-of-concept technique that abuses IDispatch/type-library CreateInstance and TreatAs registration to trap and instantiate objects inside higher-privileged processes. By enabling DCOM reflection and redirecting the StdFont coclass to a .NET COM class, the PoC can load the .NET runtime in a PPL-Windows process and execute code (with OS/version-specific workarounds described); the writeup documents implementation steps, Windows 10 vs Windows 11 differences, mitigations in oleaut32/VerifyTrust, and operational constraints (e.g., required registry changes, signing-level behavior) while noting no evidence of active exploitation.