Security experts have issued warnings about vulnerabilities in the Java Virtual Machine (JVM) contained in the latest versions of Internet Explorer (IE).

The flaws allow an attacker to deliver and execute arbitrary code on a victim's system when a hostile website or message is viewed in either IE or Outlook.

Finnish security firm Online Solutions claims that it has found 10 different vulnerabilities in the JVM which it has reported to Microsoft.

Through a combination of holes that give malicious Java applets file access on the viewer's system, as well as other resources that allow the delivery of code, a malicious applet could be engineered to upload and execute code on a victim's machine.

Such code could perform actions such as reading or modifying files, and installing or removing programs.

Typically, Java applets run in what is known as a 'sandbox', a security measure designed to protect the underlying operating system.

But if an untrusted Java applet can invoke a piece of machine language code known as a 'native method' which itself contains a security flaw, it may be able to escape its sandbox and compromise the system.

Fine details of the flaws have been omitted so as not to give the script kiddies a leg up in developing exploits.

Jouko Pynnonen, a researcher at Online Solutions, said that, although the vulnerabilities were found in the Java environment, "they do not seem to originate from the original Sun Microsystems code, but in the modifications or additions made by Microsoft".

He confirmed that, during testing, Sun's Java plug-in showed no known vulnerabilities.

Microsoft has acknowledged most of the vulnerabilities and is currently working on a patch. In the meantime, users can disable Java applets until the patch is released.