Microsoft announced today that a vulnerability has been reported in ASP.NET. The underlying issue is that "ASP.NET is failing to perform proper canonicalization of some URLs". If you are responsible for ASP.NET application security or applications in general I would encourage you to look at the announcement, then at the knowledge base article (887459) which tells you how you can modify your application right now to defend against this issue.
On a personal note, I'd like to thank the ASP.NET team for working so closely with the ASP.NET MVPs and ASPInsiders to let us know what was happening with this vulnerability - you should see a lot of the other MVPs and Insiders posting about this too which means a consistent message is getting out.