The problems, which the company describes as "critical," lie in Microsoft's virtual machine (VM) software for running Java applications on Windows computers. All versions of the VM, including the latest 5.0.3805, are affected, Microsoft said in a security bulletin.
The first flaw lies in a feature that allows Java applications to connect to databases, the second in a function that supports the use of XML (Extensible Markup Language) by Java applications, Microsoft said.
To exploit the flaws, an attacker would have to send the user an e-mail in HTML (Hypertext Markup Language) format or lure a user to a specially crafted Web site. An attacker could carry out virtually any desired action on a user's system after a successful attack, according to Microsoft.
The VM is a standard part of most versions of Windows and is delivered with the Internet Explorer Web browser. It has also been made available as a separate download, Microsoft said.
On Wednesday (18 September) Microsoft also disclosed a third, less serious flaw in the database support functions of its VM. Exploiting this flaw, classified "low" on Microsoft's severity rating, would at least crash Internet Explorer, but could allow an attacker to run code on the user's computer, Microsoft said.