Microsoft is releasing two out-of-band updates on Tuesday. It’s always big news when MS does an out-of-band update, because it is a major amount of work for them to test against all the different operating systems, change their normal release cycle, etc.
Out-of-band updates are only done when Microsoft feels there is a real need, so I would take this update seriously (in the past several years, there have been only a few such updates, such as WMF and netapi32, the source of the Conficker nightmare).
Details are light, but according to information from Microsoft, one update will be for the Visual Studio product line, the second “contains defense-in-depth changes to Internet Explorer to mitigate future attacks related to the Visual Studio bulletin, as well as fixes for vulnerabilities rated Critical that are not currently under active attack.”
For the Visual Studio fix, the severity rating is “Moderate”, involving remote code execution, and will affect Microsoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005, and Microsoft Visual C++ 2008. The IE fix is rated at Critical, again involving remote code execution, and impacting IE on Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. There is considerably more information on the Advance Notification here.
Some additional information can be found at Brian Krebs and the Register, and you can stay updated by subscribing to the MSRC blog.
Alex Eckelberry