Tonight we posted some information and guidance around a reported security vulnerability in ASP.NET. The heart of the problem is a canonicalization issue in dealing with certain URLs. Check out the page here, and be sure to take a look at KB article 887459 if you're running an ASP.NET web site.
What You Should Know About a Reported Vulnerability in Microsoft ASP.NET
Microsoft is currently investigating a reported vulnerability in Microsoft ASP.NET. An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.
Remember that in North America you can receive no-charge help with security update issues or viruses by calling (866) PCSAFETY (727-2338). I'll post more on this issue as information becomes available.