Two-thirds of the vulnerabilities patched this week in IE11 and Edge likely exist in now-retired IE7 and IE8, definitely in semi-obsolete IE9 and IE10 Microsoft this week made good on a 2014 promise and withheld security updates from users of older versions of the company’s Internet Explorer (IE) browser.All Windows users still running IE7 or IE8, and those running IE9 on any other edition of Windows but Vista, as well as those using IE10 on anything but Windows Server 2012, did not receive the patches Microsoft distributed Tuesday to systems equipped with the newer IE11 or Edge browsers.As is its practice, Microsoft issued a single, cumulative update for IE on Feb. 9. The update, labeled MS16-009, included fixes for 13 vulnerabilities.[ ALSO ON CSO: Microsoft fixes 36 flaws in IE, Edge, Office, Windows, .NET Framework ] While Microsoft did not spell out which fixes were not given to older copies of IE, it isn’t difficult to pinpoint those unsent.Of the 13 vulnerabilities patched by MS16-009, nine affected every version of IE that is still supported, including IE9 on Windows Vista and IE10 on Windows Server 2012. Because different versions of Microsoft’s browser share large amounts of code — that was one of the primary reasons the Redmond, Wash. company has dead-ended IE and started over with Edge — it’s almost certain that the nine vulnerabilities also exist in IE7 and IE8, and in IE9 and IE10 on Windows editions ineligible for patching. In other words, more than two-thirds of the vulnerabilities patched by Microsoft on Tuesday probably exist in the retired IE versions.The danger with known, but unpatched vulnerabilities is significant: Cyber criminals regularly parse updates and compare “before” and “after” code to determine what was changed. They then use that information to investigate further in an attempt to reverse-engineer the patch to find the underlying vulnerability. Once the bug has been identified, they craft an exploit to successfully hack unpatched software, knowing that not everyone updates immediately.In this case, the vulnerability found in, say, IE9 on Vista — which was patched this week — may give them insight into the location of the bug in the older IE8. From there, they can create an exploit for the unpatched browser.Cyber criminals will have motivation to do this work, at least temporarily, because a large number of IE users worldwide are still running the now-retired versions. According to data from analytics vendor Net Applications, about a third of those running IE last month used a version that has stopped receiving security updates.Microsoft declared the early retirement of IE7 and IE8, and partial retirement of IE9 and IE10, in August 2014, when it told customers they must upgrade to the latest browser available for their OS by Jan. 12, 2016. For most users, the latest version is IE11. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe