Essentially there is a flaw in how Drupal processes its PDO placeholders that allows anonymous users to provide a remote SQL injection from a simple URL query. A quick proof on concept was in a Reddit comment. Scripts are popping up all over the place, which means this will burn like wild fire.
Not sure how to fix? You can update Drupal core wholesale or manually apply the patch.
Method 1: Apply patch manually. It's a quick one-line change.
Method 2: Drush
You can use Drush's update function to update Drupal on your current site. Simply run 'drush up' and update your Core.
Issues where Drush can't find 7.32
There's an issue where Drush's cache prevent it from seeing the new release (Drupal.org issue.) The resolution is to run "drush rf" to force it to clear any cache_update table entries.
Unfortunately that didn't work in my case as I use Vagrant and make files. In order to get Drush to discover the new version I had to manually purge the file cache for the release history. This can simply be done with the following command (Mac OS X / Linux)