Five of the impending updates were tagged critical by Microsoft, the top threat ranking in its four-step scoring system. Another five were labeled "Important," the second-highest next rating, while the last was marked "Moderate."

Windows 7 will receive four of the 11 updates, including the one designed to patch the VBScript-F1 vulnerability, even though Microsoft previously said that the bug did not impact the new OS. "Severity ratings do not apply to this update because the vulnerability discussed in this bulletin does not affect this software," Microsoft said in today's alert, speaking of Vista, Server 2008, Windows 7 and Server 2008 R2. "However, Microsoft recommends that customers of this software apply this security update as a defense-in-depth measure."

Also on the slate: Patches for Publisher, the desktop publishing program included with some editions of Microsoft Office, and for Exchange, the widely-used e-mail server.

"It gets messier around deployment when Exchange has to be patched," said Storms. "Administrators have to balance uptime [for the mail server] with the risk. This probably needs to be patched as soon as possible, but companies should ask themselves: 'What's the risk of downtime?'"

Microsoft will not patch a vulnerability in IE in early February. Hackers can use the bug to attack IE on Windows XP, or IE7 or IE8 on other versions of Windows if the browser's Protected Mode has been disabled, Microsoft said then.