The first issue centers on the browser's drag-and-drop capability, which does not validate new files correctly.
This means that, potentially, a document downloaded from a Web page using drag and drop may contain malicious code.
The other problems affect all Windows systems, including those protected by Local Computer zone lockdown, which comes with SP2.
The first allows specially designed (.hhk) files to be used to include malicious code on systems, and the second stems from a zone restriction error that could allow code to be downloaded from Web sites involuntarily.
At least one of the flaws was reported to Microsoft (Nasdaq: MSFT) last year, but no patches have so far been made available.
Security firm Secunia has released an advisory warning that the holes are "extremely critical" and recommends users dump IE and use an alternative browser.
"Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security a very critical vulnerability has been developed that can compromise a user's system without the need for user interaction besides visiting the malicious page," Secunia warned in a statement.