Backstory: ASP.NET relies, in several places, on AES (or 3DES) blobs that it bounces off clients in cookies, in the Viewstate, and in URL arguments. The underlying implementation of block cipher encryption (in general --- not just AES) is vulnerable to a devastating side channel attack that allows attackers to "crack" the ciphertext byte-by-byte, instead of in 128-bit blocks.
It's good (and unsurprising) to see Microsoft taking this so seriously. I recommend that you follow their advice on workarounds. While doing so, keep in mind that the framework is still bouncing encrypted blobs off clients and relying totally on the notion that clients can't read them, and that the underlying problem (the server's behavior changes based on whether padding is valid) is still there. Keep your eyes open.
It's good (and unsurprising) to see Microsoft taking this so seriously. I recommend that you follow their advice on workarounds. While doing so, keep in mind that the framework is still bouncing encrypted blobs off clients and relying totally on the notion that clients can't read them, and that the underlying problem (the server's behavior changes based on whether padding is valid) is still there. Keep your eyes open.