According to a Googler, the security fix in question is related to CVE-2014-0224, which is an OpenSSL bug allowing a man-in-the-middle attack. It's actually a fairly serious bug, and distinct from Heartbleed (fixed in 4.4.3). There are other tweaks, but we'll have to wait and see what the official word is. An AOSP push should show up soon and we can see what was addressed.
Towelroot is not affected by 4.4.4.
The Nexus 5 seems to be the only device with an OTA on the books, but 4.4.4 binaries and images for Nexus devices are already live on Google's site.
It's been barely a month since Android 4.4.3 started rolling out for Nexus devices and Google has already started rolling out the 4.4.4 update. But while this may not be as big an update as its predecessor (which itself wasn't especially big) it does take care of a major security issue.
According to the change log posted by Sprint, this update just brings a security fix. According to Android Police, it contains a patch for an OpenSSL bug, which would have allowed a man-in-the-middle attack. This is similar to the Heartbleed bug that was addressed in 4.4.3 update.
The OTA update is just rolling out for the Nexus 5 for now but Google has provided factory images on its website for the Nexus 4, 5, 7 and 10. If you used Towelroot to root your device then it will remain unaffected.
