This episode began not 2 weeks ago when Google announced that they had been the target of significant attacks from sites in China seeking to steal intellectual property and compromise GMail accounts of human rights activists. The company said they would no longer censor search results on their Chinese sites and would, if need be, withdraw from China. Google was not alone in being attacked; Adobe and many other corporate and government sites were.
The attacks, which collectively have come to be known as "Aurora," were at first credited to a malicious Acrobat PDF file, then to the IE 0-day vulnerability fixed in this update. In fact, many different malware and vulnerability techniques were used; some were the IE 0-day and some malware experts claim that a PDF was indeed used in others.
The update code is available through all the usual channels: Windows Update, Microsoft Update, and Windows Software Update Services (WSUS).
The bulletin for the update lists the update as Critical for all platforms other than Internet Explorer 6 on Windows Server 2003. 4 of the vulnerabilities, including the Aurora bug (designated CVE-2010-0249) are rated by Microsoft as likely to result in consistent exploit code, and of course Aurora is already being exploited.
5 of the other 7 vulnerabilities have descriptions essentially identical to that of the Aurora bug, and all 6 have consecutive CVE numbers. This, combined with the Acknowledgements section of the advisory, indicates that once notified of Aurora, researchers found other related vulnerabilities and reported them to Microsoft. TippingPoint and the Zero Day Initiative are the big contributors this month.
The remaining 2 vulnerabilities are a cross-site scripting bug that could allow certain scripts to run in the wrong security context and a URL validation vulnerability that could allow remote code execution by way of a maliciously-crafted URL. On any other day this latter bug would be big news.
