Using Memory Errors to Attack a Virtual Machine [pdf]
A. Appel and Sudhakar Govindavajhala

This hack is way cool, mainly because it's not just theoretical. Some people at work saw this demonstrated at a recent security conference (see page 9 for the setup). The attack goes as follows: get JVM (or .Net) to load your applet, shine lamp onto the system's memory chips to induce a random bit flip, bit flip modifies pointer in object, object can now write to abitrary portions of memory.

In the practical world, this attack isn't very realistic (you need to have physical access and be able to get the JVM to allocate a huge amount of memory for your objects), but it's still very cool.