Yesterday I discovered a bug in the JIT that not only causes incorrect results, but also allows the type system to be circumvented, which in turn leads to the possibility of arbitrary code execution. I have a proof-of-concept that executes arbitrary x86 code from a verifiable and partially trusted C# application.
I reported the bug to Microsoft and it turns out that it was independently discovered and reported by someone else in August (but who, I believe, did not understand the security implications of the bug). The bug was subsequently fixed in September and the fix made it into the Vista release of the .NET Framework 2.0 (so if you're running Vista, you're not vulnerable.)
They tell me that a fix will be distributed via Windows Update "sometime in the next few months". If you don't want to be vulnerable in the mean time, disable running .NET code in the browser and don't run any ClickOnce applications from untrusted sources.
I will publish my proof-of-concept and analysis after the patch is released.