"To help customers plan for their deployment of these updates, I want to specifically call out that they touch all supported versions of Windows and IE," said Jerry Bryant of the Microsoft Security Response Center. "On the Office side, the bulletins impact Project, Word and Works 8.5. All of the updates for Windows will require a restart, so please plan accordingly."

Patching the IE Flaw

At the top of the list for IT administrators -- and at the top of Microsoft's deployment list -- is a vulnerability in IE 6 and 7 that could lead to remote code execution. Although Microsoft is not aware of any active attacks that seek to exploit this vulnerability, it is severe enough that the company considered releasing an out-of-band patch on Nov. 23.

The IE fix is part of Bulletin 4, which will have the broadest impact because it will affect all user machines across an entire organization, according to Don Leatham, Lumension senior director of solutions and strategy.

"It is critical across Windows 7, Vista and XP; requires a restart; and impacts all versions of Internet Explorer 6, 7 and 8," Leatham said. "We suggest that IT departments be prepared to quickly assess and patch all end-user machines throughout their organization."

Disrupting Windows Server

Bryant said the other critical update affecting Windows is in Bulletin 1. Although this bulletin has a critical severity rating, he said, the lower risk will drop the deployment priority down a little. But security researchers said the importance shouldn't be underestimated for Windows Server 2008 users.

"If IT teams have Windows Server 2008 deployed in support of mission-critical applications, this update could be disruptive," Leatham said. "If the associated vulnerabilities are rated high on Microsoft's exploitability scale, organizations may be forced to pull production servers out of service for patching."

Bulletin 3 is critical for Project 2000. Since the majority of people use later versions of Microsoft Project, Leatham said, any attack associated with this update should be fairly narrow. Nonetheless, he added, IT teams should ensure that they have identified all instances of Project 2000 that may still exist in their organization.

What about the TLS Flaw?

Leatham said it appears that Microsoft isn't issuing a patch for the recently announced TLS flaw that will most likely force updates to all brands of browsers and all Internet servers using SSL/TLS. The flaw allows attackers to inject text into encrypted traffic.

"Although we'll have to wait until Patch Tuesday for confirmation, we are led to believe that Microsoft has chosen not to address this vulnerability in this round of patches," Leatham said. "There is controversy in the security community as to the true importance of speeding a fix to market for this flaw, and no widespread exploits have been reported."