Microsoft has issued a Security Advisory that affects all websites developed on all versions of ASP.NET.

Microsoft has recently announced a security advisory concerning a newly discovered vulnerability in all versions of ASP dot NET. This means that an attacker using this vulnerability can request and download files within an ASP dot NET application like the web.config file, which often contains sensitive data. Also, an attacker exploiting this vulnerability can decrypt data sent to the client in an encrypted state.  For more information see Microsoft security advisory 2416728.

Typically security exploitation would be demonstrated to Microsoft (or the appropriate platform owner) for patching, and made public after a patch has been released and the threat has been eliminated or reduced, but in this case The vulnerability was demonstrated publicly BEFORE Microsoft had released a fix. As a result, we can expect to see hackers attempting to exploit this vulnerability.

Action Required
Microsoft is in the process of creating a patch. In the meantime, a workaround is detailed in Scott Guthrie's blog (Corporate Vice President in the Microsoft Developer Division).

At WSI, we are working with our hosting partners and software developers to identify which of our client's websites may be affected and whether we can apply the workaround to address the problem. We will be contacting all clients individually to let them know if this problem affects them. 

If you are not a WSI client, and your site page names end with the extension .asp or .aspx, we recommend that you contact your Website Developer as soon as possible to check whether this vulnerability could affect you.