Latest Update - ASP.NET Vulnerability
Microsoft has released a HTTP Module installer in response to this vulnerability. The incident page has been updated, together with a new KB 887289 - HTTP Module to check for canonicalization issues with ASP.NET, detailing the MSI package and changes information. This is a server-wide fix, it offers the same checking as per KB 887459. You are advice to install this 'protection' workaround ASAP, you can get this package here. Note: please backup your machine.config file before installing the package.
On the other hand, I was chatting to Mark Burnett (IIS MVP, author for Hacking the Code: ASP.NET Web Application Security) since yesterday. Interestingly, I felt that the 'hole' is in asp.net isapi filter which fails to check the requested URL path, and lead to unauthorized access. Here's the part of Mark's analysis:
---
There has been some confusion with the ASP.NET forms authentication issue and I wanted to clarify some points. First of all, this is really an authorization issue, not an authentication issue. This sounds trivial but the difference helps to understand what's happening here. Authorization is what determines if authentication needs to happen.
Normally when you make a request for a protected resource, ASP.NET checks the web.config to see if there is an authorization rule for that resource. If there is no match, it checks the authorization section in the web.config of each parent application all the way up to machine.config, which by default allows everyone to access everything.
The problem here is that by using a backslash, the code that compares the path string and the protected resource always fails. It does not properly match the path string to anything in web.config and eventually ends up in the machine.config, which allows access (note that this current vulnerability applies to the backslash, but it could potentially be any form of obfuscation that IIS might allow). Since it does not find any rules requiring authentication, it allows access to the resource without prompting the user for credentials, because it sees no need to do so. Therefore, it is not an authentication issue because it never gets to that point. Also, this means that it does affect both Forms and Windows authentication (assuming the NTFS permissions allow access to the ASP.NET process).
----
For full analysis and other discussions, you can subscribe to this list.