WWWTC #9 ranks 10 out of 10 on the "difficult and subtle" scale. Let's say we write the following code to call the method Jill wrote:
Sub ExploitIt(ByVal path As String, ByVal data As Byte())
Dim j As New JillsObject
' setup an environment that will force
' an exception after impersonation starts,
' than call into the method
Catch When RunMaliciousCode() = True
Function RunMaliciousCode() As Boolean
' here is your chance to execute code as an admin...
The problem is that the exception filter (RunMaliciousCode) has a chance to execute before Jill's method turns off impersonation in the finally clause.
I planned on going into more detail, but Jonas provided two links in the comments that point to a pair of excellent posts by Shawn Farkas. See:
Safely Impersonating Another User
Impersonation and Exception Filters in v2.0