Microsoft Withholds Security Updates for Older Internet Explorer Versions
This week, Microsoft fulfilled a promise made in 2014 and withheld security updates from users of older versions of the company's Internet Explorer (IE) browser.
All Windows users still running IE7 or IE8, and those running IE9 on any other edition of Windows but Vista, as well as those using IE10 on anything but Windows Server 2012, did not receive the patches Microsoft distributed Tuesday to systems equipped with the newer IE11 or Edge browsers.
As is its practice, Microsoft issued a single, cumulative update for IE on Feb. 9. The update, labeled MS16-009, included fixes for 13 vulnerabilities.
While Microsoft did not specify which fixes were not provided to older copies of IE, it isn't difficult to identify those unsent.
Of the 13 vulnerabilities patched by MS16-009, nine affected every supported version of IE, including IE9 on Windows Vista and IE10 on Windows Server 2012. Given that different versions of Microsoft's browser share substantial code (one of the primary reasons for the shift to Edge), it is highly likely that these nine vulnerabilities also exist in IE7 and IE8, as well as in IE9 and IE10 on Windows editions ineligible for patching.
In other words, it is probable that more than two-thirds of the vulnerabilities patched by Microsoft on Tuesday also exist in the retired IE versions.
The danger with known but unpatched vulnerabilities is significant: Cybercriminals routinely analyze updates and compare "before" and "after" code to determine changes, enabling them to reverse-engineer the patch and find the underlying vulnerability. Once the bug is identified, they can craft an exploit to hack unpatched software, knowing that not everyone updates immediately.
In this case, the vulnerability found in, say, IE9 on Vista - which was patched this week - may give them insight into the location of the bug in the older IE8. From there, they can create an exploit for the unpatched browser.
