Microsoft this week made good on a 2014 promise and withheld security updates from users of older versions of the company’s Internet Explorer (IE) browser.
All Windows users still running IE7 or IE8, and those running IE9 on any other edition of Windows but Vista, as well as those using IE10 on anything but Windows Server 2012, did not receive the patches Microsoft distributed Tuesday to systems equipped with the newer IE11 or Edge browsers.
As is its practice, Microsoft issued a single, cumulative update for IE on Feb. 9. The update, labeled MS16-009, included fixes for 13 vulnerabilities.
While Microsoft did not spell out which fixes were not given to older copies of IE, it isn’t difficult to pinpoint those unsent.
Of the 13 vulnerabilities patched by MS16-009, nine affected every version of IE that isstill supported, including IE9 on Windows Vista and IE10 on Windows Server 2012. Because different versions of Microsoft’s browser share large amounts of code — that was one of the primary reasons the Redmond, Wash. company has dead-ended IE and started over with Edge — it’s almost certain that the nine vulnerabilities also exist in IE7 and IE8, and in IE9 and IE10 on Windows editions ineligible for patching.
In other words, more than two-thirds of the vulnerabilities patched by Microsoft on Tuesday probably exist in the retired IE versions.
The danger with known, but unpatched vulnerabilities is significant: Cyber criminals regularly parse updates and compare “before” and “after” code to determine what was changed. They then use that information to investigate further in an attempt to reverse-engineer the patch to find the underlying vulnerability. Once the bug has been identified, they craft an exploit to successfully hack unpatched software, knowing that not everyone updates immediately.
In this case, the vulnerability found in, say, IE9 on Vista — which was patched this week — may give them insight into the location of the bug in the older IE8. From there, they can create an exploit for the unpatched browser.
Cyber criminals will have motivation to do this work, at least temporarily, because a large number of IE users worldwide are still running the now-retired versions. According to data from analytics vendor Net Applications, about a third of those running IE last month used a version that has stopped receiving security updates.
Microsoft declared the early retirement of IE7 and IE8, and partial retirement of IE9 and IE10, in August 2014, when it told customers they must upgrade to the latest browser available for their OS by Jan. 12, 2016. For most users, the latest version is IE11.