Microsoft said today that next week's Patch Tuesday will bring 17 updates plugging 40 holes and featuring two rated "critical," including one in Internet Explorer that was targeted in attacks last month.
The critical IE vulnerability was written for IE 6 and 7 but IE 8 is also vulnerable, Microsoft said when it about it in November.
Also fixed on Tuesday will be the final of four holes in Windows that themalware used.
"This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in active exploits aside from the Stuxnet malware," Mike Reavey, director of the Microsoft Security Response Center, said in a blog post.
Windows (all supported versions), Office, IE, SharePoint, and Exchange are affected by the bulletins, today's advisory says.
This brings Microsoft's total bulletin count for the year to a record 106, Reavey said. He attributed that to vulnerability reports in Microsoft products increasing slightly and older products "meeting newer attack methods, coupled with overall growth in the vulnerability marketplace."
"Meanwhile, the percentage of vulnerabilities reported to us cooperatively continues to remain high at around 80 percent; in other words, for most vulnerabilities we're able to release a comprehensive security update before the issue is broadly known," Reavey wrote.