Arbitrary x86 from Partially Trusted C# App
Yesterday I discovered a bug in the JIT that not only causes incorrect results, but also allows the type system to be circumvented, which in turn leads to the possibility of arbitrary code execution. I have a proof-of-concept that executes arbitrary x86 code from a verifiable and partially trusted C# application.
Jeroen single handedly wrote a JVM in .NET that can execute and debug Java classes from .NET/Mono. He is pretty used to exploring the dark corners of .NET and finding strange bugs. The proof-of-concept will be released after a patch has been made available via Windows Update in the next few months.