The flaws to be patched, which are said to be in Internet Explorer and Windows itself, could be used by attackers for remote code execution.
"The focus should be on patching the critical update for Internet Explorer," said Wolfgang Kandek, CTO of security firm Qualys.
"Addressing browser vulnerabilities on a fast schedule has become increasingly important as more and more of our time online is spent accessing the Internet and running applications through the browser."
The remaining four important bulletins relate to bugs in Windows or components in Office. Patches will be released on 12 November, at 18.00 GMT.
Windows zero-day spreads
Microsoft has also offered more clarity on the Windows zero-day vulnerability involving the TIFF graphics-format parser.
While no patch has been made available yet, Microsoft has released a "Fix it" that effectively turns TIFF parsing off.
To clear up "some confusion" around which software is impacted by the vulnerability, Microsoft noted in a blog post that Office versions 2003 and 2007 can be exploited regardless of what operating system they are running on.
Office 2010 is only affected if on Windows XP or Server 2003, while the flaw can be used in attacks on Windows Vista and Server 2008. Targeted attacks seen so far have only hit users of Office 2007 running on Windows XP.
Yet the range of attacks is worse than first thought. It is now believed that the attackers carrying out Operation Hangover, which hit a number of Pakistani government bodies earlier this year, are now actively exploiting the zero-day.
FireEye also reported another group, known as Arx, had used the vulnerability to drop the Citadel Trojan, a variant of banking malware Zeus. Most of Arx's targets are based in India and Pakistan, the firm said.
Microsoft initially said it saw attacks in the Middle East and South Asia.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
