Microsoft has released a security advisory for ASP.NET (CVE-2010-3332). It looks like there are no known attacks for this vulnerability at this time, and no update has been released.
To quote the release...
Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
More details are available at Scott Guthrie's Blog. As reader Jacob pointed out, Scott also details a configuration change that can be used for a workaround until the update is released.
-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.