At least one of the three will be labeled "critical," Microsoft's highest threat rating.
Microsoft now pre-announces upcoming security bulletins and patches as part of its Advance Notification service, but limits the information to the number of bulletins it will put out. The patches will debut Jan. 11.
Critical bugs are those Microsoft says can be exploited without any user interaction by automated malicious code. In other words, a worm. Examples of such hands-off worms in the past have been the destructive MSBlast of 2003 and Sasser of 2004.
The last critical vulnerability that Microsoft patched was one for Internet Explorer in early December 2004.
Late last month, security firms warned users about three unpatched vulnerabilities in Windows' LoadImage API function, its animated cursors, and in the way it handles help files. It's not known if any of the patches Microsoft plans to release next week plug these holes.
"No additional details about bulletin severities or vulnerabilities will be made available until Jan. 11, 2005," Microsoft stated in the online notification.