so this seems to be officially fixed – finally
http://www.microsoft.com/technet/security/Bulletin/MS05-004.mspx
“This update resolves a public vulnerability in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. The vulnerability is documented in the Vulnerability Details section of this bulletin. An attacker who successfully exploited this vulnerability could gain unauthorized access to parts of a Web site. The actions that the attacker could take would depend on the specific content being protected.”