MS has updated What You Should Know About a Reported Vulnerability in Microsoft ASP.NET with information on the Microsoft ASP.NET ValidatePath Module. This module essentially does what the recommended global.asax fix does - on a machine-wide level. The advantage? Only one install per machine, no developer who could forget to implement the fix, and it also works for applications for which you only have the compiled site. Running on this very Web server.