Microsoft has released an out-of-band security bulletin (MS10-070), for the ASP.NET "information disclosure" vulnerability.
The short version of the vulnerability is that exploiting it generates unintended error messages containing information that an attacker may be able to use to view or compromise data.
According to the bulletin, any applications running on the ASP.net platform are vulnerable. It also indicates Microsoft is aware of current, limited attacks against the vulnerability.
SANS raised their InfoCon Alert from Green to Yellow for this vulnerability, to "raise awareness for this problem and patch." The notice on the SANS blog also links to a much more detailed explanation of the attack.
