The attacks, which collectively have come to be known as "Aurora," were at first credited to a malicious Acrobat PDF file, then to the IE 0-day vulnerability fixed in this update. In fact, many different malware and vulnerability techniques were used; some were the IE 0-day and some malware experts claim that a PDF was indeed used in others.
The update code is available through all the usual channels: Windows Update, Microsoft Update, and Windows Software Update Services (WSUS).
The bulletin for the update lists the update as Critical for all platforms other than Internet Explorer 6 on Windows Server 2003. Four of the vulnerabilities, including the Aurora bug (designated CVE-2010-0249) are rated by Microsoft as likely to result in consistent exploit code, and of course Aurora is already being exploited.
Five of the other seven vulnerabilities have descriptions essentially identical to that of the Aurora bug, and all 6 have consecutive CVE numbers. This, combined with the Acknowledgements section of the advisory, indicates that once notified of Aurora, researchers found other related vulnerabilities and reported them to Microsoft. TippingPoint and the Zero Day Initiative are the big contributors this month.
The remaining two vulnerabilities are a cross-site scripting bug that could allow certain scripts to run in the wrong security context and a URL validation vulnerability that could allow remote code execution by way of a maliciously-crafted URL. On any other day this latter bug would be big news.
Note: Originally posted to the PCMag.com security blog, Security Watch.