A recent vulnerability called 'Padding Oracle' has just been found for ASP.Net apps. Using this vulnerability an attacker can:
a. Download files within an ASP.NET Application like the web.config file (say goodbye to your connection strings).
b. Decrypt data sent to the client in an encrypted state, like ViewState data within a page (did you say you stored your credit card numbers in session? Oops!)
But fear not, there is a patch available. More details about the vulnerability and its patch at Scott Guthrie's blog.
Cheers!
Update (28-Sep-2010): Microsoft's official patch is now available for this. More details on Scott Guthrie's blog.
More Info:
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310