Microsoft will release seven security patches tomorrow (Tuesday 11 December) as part of its monthly patching cycle, with three of them deemed as "critical" by Redmond.
The critical patches fix vulnerabilities in Windows, with Windows elements DirectX, Windows Media Format Runtime, and Internet Explorer all affected. All the vulnerabilities allow remote hackers to breach users' systems without any interaction on their part.
The four "important" patches are also being released to address holes in Windows, and fix remote execution and elevated privileges flaws.
Alan Bentley, regional vice-president of web security firm Lumension EMEA, said, "After a light Patch Tuesday in November, security administrators will have their hands full this month. The three critical patches all address remote code execution and should be rolled out as quickly as possible."
He said, "The vulnerabilities are web-based, and hackers can prey on unsuspecting end-users by dropping malicious code into videos and other media on legitimate websites. This is particularly troublesome because attackers can prey on users as the weakest IT security link by posting seemingly harmless videos on YouTube, MySpace, Facebook or similar sites.
"If a user watches one of these infected videos, malware will execute, compromise their machine and put the entire network at risk," said Bentley.
Bentley said the critical flaws could also be exploited directly through web-based e-mail, allowing hackers to target individual users or user groups, making attacks much more difficult to identify.