Microsoft on Tuesday published 12 security bulletins for Windows and Office that patched 23 vulnerabilities, 16 of which the Redmond, Wash. developer tagged as "critical." Both the number of bugs disclosed and the tally of critical fixes broke previous records.

Ten of the updates addressed flaws in Windows, while 2 affected Microsoft Office or one of its bundled applications. According to security analysts, several of the bulletins patch vulnerabilities that are already being exploited in the wild, including one used to attack the PowerPoint presentation maker just days after July's security updates were revealed.

Security analysts immediately pegged MS06-040 bulletin as the fix to apply first.

In an alert to customers of its DeepSight threat system, Cupertino, Calif.-based Symantec noted that MS06-040, which fixes a flaw in Windows' Server service, should be patched pronto. "At least one exploit for the issue has already been developed, and as such may be released soon," Symantec stated. "The issues can be exploited by an anonymous user against Windows XP SP2 to execute arbitrary code, making it a prime candidate for a worm."

Mike Murray, director of research at vulnerability management vendor nCircle, was even more adamant about MS06-040's potential.

"We've seen these kinds of service vulnerabilities before, and for one reason or another, [worms] haven't turned up," said Murray. "But all is lined up for this to be a big one."

The bug, which affects all currently supported versions of Windows, including fully-patched Windows XP SP2 and Windows Server 2003 SP1, is similar, but not identical to the 2003 RPC vulnerability that led to the MSBlast worm.

"We won't know for about 24 hours exactly how dangerous this is, but it could end up presenting a major problem," Murray said. "It looks like Windows' authentication isn't needed, so an anonymous user could launch from outside the network."

Symantec also reminded users that a similar bug was responsible for one of the biggest worm attacks ever. "The vulnerable service is the same used by the Blaster worm in past years," the alert read.

Nine of the dozen bulletins were labeled as critical, Microsoft's most dire rating. Among them were several that plugged various holes in Web-rated components of Windows. Internet Explorer, Microsoft's browser, accounted for more than a third of the total bugs (8 out of 23), and 5 of the critical 16 in MS06-042. Even the most secure version of the browser, IE 6 for Windows XP SP2, was hit with 3 critical fixes.

"Just like always, we're seeing all this Web stuff," said Murray. "We're back to the monthly IE vulnerabilities fix."

According to Symantec, 3 of the 8 bugs in IE had been disclosed before Tuesday, 4 let attackers introduce their own code to a compromised system, and 3 can be exploited to gain access through lower IE security settings.

Chris Andrew, vice president of security technologies at PatchLink, took a different tack than his rival Murray and touted the browser bugs as those to fix first. "The importance of the browser should mean getting it patched ASAP," said Andrew.