Two-thirds of the vulnerabilities patched this week in IE11 and Edge likely exist in now-retired IE7 and IE8, definitely in semi-obsolete IE9 and IE10 Microsoft this week made good on a 2014 promise and withheld security updates from users of older versions of the company’s Internet Explorer (IE) browser.All Windows users still running IE7 or IE8, and those running IE9 on any other edition of Windows but Vista, as well as those using IE10 on anything but Windows Server 2012, did not receive the patches Microsoft distributed Tuesday to systems equipped with the newer IE11 or Edge browsers.As is its practice, Microsoft issued a single, cumulative update for IE on Feb. 9. The update, labeled MS16-009, included fixes for 13 vulnerabilities.[ ALSO ON CSO: Microsoft fixes 36 flaws in IE, Edge, Office, Windows, .NET Framework ] While Microsoft did not spell out which fixes were not given to older copies of IE, it isn’t difficult to pinpoint those unsent.Of the 13 vulnerabilities patched by MS16-009, nine affected every version of IE that is still supported, including IE9 on Windows Vista and IE10 on Windows Server 2012. Because different versions of Microsoft’s browser share large amounts of code — that was one of the primary reasons the Redmond, Wash. company has dead-ended IE and started over with Edge — it’s almost certain that the nine vulnerabilities also exist in IE7 and IE8, and in IE9 and IE10 on Windows editions ineligible for patching. In other words, more than two-thirds of the vulnerabilities patched by Microsoft on Tuesday probably exist in the retired IE versions.The danger with known, but unpatched vulnerabilities is significant: Cyber criminals regularly parse updates and compare “before” and “after” code to determine what was changed. They then use that information to investigate further in an attempt to reverse-engineer the patch to find the underlying vulnerability. Once the bug has been identified, they craft an exploit to successfully hack unpatched software, knowing that not everyone updates immediately.In this case, the vulnerability found in, say, IE9 on Vista — which was patched this week — may give them insight into the location of the bug in the older IE8. From there, they can create an exploit for the unpatched browser.Cyber criminals will have motivation to do this work, at least temporarily, because a large number of IE users worldwide are still running the now-retired versions. According to data from analytics vendor Net Applications, about a third of those running IE last month used a version that has stopped receiving security updates.Microsoft declared the early retirement of IE7 and IE8, and partial retirement of IE9 and IE10, in August 2014, when it told customers they must upgrade to the latest browser available for their OS by Jan. 12, 2016. For most users, the latest version is IE11. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe