Seventeen of the bugs are rated as critical and affect Windows, Microsoft Edge, Office, Internet Explorer, the .NET framework and the malware detection engine. The last-named was patched on Monday night, given its severity.
The three bugs that are being actively attacked are a remote code vulnerability in Office, a memory corruption vulnerability in Internet Explorer and an elevation of privilege flaw in Windows kernel-mode drivers.
Attackers are said to be using the Office flaw along with the kernel-mode one to take control of a system.
Trend Micro's Zero Day Initiative has a chart giving an overall picture of the vulnerabilities and their effects.
Patches for flaws in Adobe's Flash Player have also been issued.