Security implications of open CoreCLR (CoreRun.exe)

Completed on 05-Feb-2016 (26 days) -- Updated on 23-Nov-2016

Some of the conclusions of this project aren't applicable anymore.
To know more about all this, read "OVER-8-MONTH-LATER UPDATE" in the Open .NET & CoreCLR section.

Project 8 in full-screenProject 8 in PDF
Usage of CoreRun.exe >
Visual Studio & .NET version

CoreRun.exe is not a .NET application, although its whole purpose is precisely dealing with .NET applications and that's why the installed .NET Framework is also relevant to it. The question is: can CoreRun.exe deal with any .NET Framework version? The answer seems to be yes, mainly on account of the traditionally-quite-reliable .NET backwards compatibility.

CoreRun.exe relies on certain Visual Studio files and that's why having this IDE installed is one of its requisites. I did some tests on a VS-free machine to see how easily the required conditions might be replicated without performing a whole installation. The results were quite discouraging (i.e., good from a safety point of view): firstly, clearly-defined errors which were quickly fixed after some research; then, the errors stopped appearing but the .NET executable didn't work as expected either. Thus, having a Visual Studio version installed doesn't seem replaceable; at least, not according to the "easy enough or no threat" basic assumption of this project.

Regarding the Visual Studio version, it is expressly stated that CoreCLR requires VS 2013 or 2015 to be installed. This somehow curious requirement seems to indicate that the CoreCLR code relies on files/features only present in VS 2013/2015. Such an assumption was confirmed when I tried to run CoreRun.exe on a computer where only VS 2012 was installed; I even re-compiled the code with VS 2012 (by updating the "Platform Toolset" value for all the projects in the solution). The aforementioned situation was repeated: neither errors nor warnings, but the .NET executable didn't work as expected either. After installing VS 2015 on that computer, CoreRun.exe and the .NET executable started working fine.

In summary: CoreRun.exe can deal with .NET executables of any version (less safe), but only on computers where Visual Studio 2013 or newer is installed (safer).