Millions of Internet Explorer 6 users are at risk from three "extremely critical" security holes that give hackers open access to PCs running the browser - even if Windows XP Service Pack Two has been installed.

The first issue centres on the browser's drag and drop capability, which does not validate new files correctly. This means that, potentially, a document downloaded from a web page using drag and drop may contain malicious code.

The other problems affect all Windows systems, including those protected by Local Computer zone lockdown that comes with SP2. The first allows specially designed (.hhk) files to be used to include malicious code on systems and the second stems from a zone restriction error that could allow code to be downloaded form web sites involuntarily.

At least one of the flaws was reported to Microsoft last year but no patches have so far been made available.

Security firm Secunia has released an advisory warning that the holes are "extremely critical" and recommends users dump IE and use an alternative browser.

"

Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security a very critical vulnerability has been developed that can compromise a user's system without the need for user interaction besides visiting the malicious page," Secunia warned in a statement.