Host header attacks aren't exactly new [0]. However it seems that this is deliberately vague to prevent people from exploiting it whilst systems are patched. I note that the CVE details [1] are not yet available, so perhaps the actual issue is a bit more complex.