Microsoft has issued six security bulletins for December, bringing the total for 2009 to 74, compared with 77 in 2008, 69 in 2007 and 78 in 2006.
Of the latest security bulletins, three were rated "critical" and two "important" - the top two rankings for Microsoft security alerts.
The last Patch Tuesday security update for the year fixes 12 vulnerabilities, the most urgent one aimed at a zero-day flaw in the Internet Explorer web browser.
But any of the critical vulnerabilities could let an attacker gain full control over a vulnerable Windows computer, said Dave Marcus, director of security research at McAfee Labs.
"Business users need to have a risk management strategy in place to prioritise the patches," he said.
Of the three critical patches, MS09-072 is the most ubiquitous, affecting all versions of Internet Explorer, said Matthew Walker, regional director UK & Ireland at Lumension.
"This, combined with updates issued by Apple for Java for OS X, Adobe's Flash Player and AIR, make this month particularly important for IT departments to shore-up patches and protect against web-borne malware threats," he said.
MS09-072 is likely to have the greatest impact on end users as it affects all IT environments using Internet Explorer (6, 7 and 8), specifically impacting Windows 7, Vista and XP which will all require a restart, said Walker.
MS09-071, affects Windows Server 2008 and requires a restart.
"Although Microsoft's exploitability scale for this bulletin is less severe, as Windows Server 2008 is most commonly deployed in support of mission critical applications, this update has the potential to be severely disruptive to business operations, said Walker.