MS07-040 - remote code execution in .NET Framework?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Can anyone explain how the issues

.NET PE Loader Vulnerability - CVE-2007-0041
.NET JIT Compiler Vulnerability - CVE-2007-0043

could affect a system? According to the description, it allows an attacker
to execute arbitrary code withing the context of the current user. As by
what the PE Loader and the JIT Compiler do, it seems like it would require
the user to execute the malicious program.

I wonder how this should be a security vulnerability since every .NET
program it free to do whatever it wants. Code Access Security is designed to
only help legitimate programs limiting their impact on the system but not to
provide any kind of sandbox, and especially .NET 1.x (listed as affected) is
impossible to redesign for providing any kind of sandboxing.

Alternately: Do you know where and how to contact any representative of the
Microsoft Security Team that could explain the issue?

Site Timeline