Microsoft made good on their promise and withheld security updates for those using older versions of Internet Explorer browser.
All of the users that are running IE9 and lower on any edition besides Vista, as well as those who are on IE10 on anything but a Windows Server 2012, stopped receiving any patches that were distributed to systems that have IE11 or Edge browsers.
As part of its practice, Microsoft issued a single update for Internet Explorer on February 9th. The update, which was labeled MS16-009, included fixes for 13 different vulnerabilities.
Which security holes were patched?
Out of the 13 vulnerabilities that were patched, 9 of them affected every single version of Internet Explorer that is still supported, which includes IE9 and IE10. Because various versions of the browser share a lot of code, that was one of the reasons that Internet Explorer was dead-ended and started over with Edge. It is certain that those 9 vulnerabilities exist in IE7 and IE8, as well as IE9 and IE10, and are ineligible for patching.
Basically, more than two-thirds of the vulnerabilities that were recently patched have a high chance of also existing in the retired versions of Internet Explorer that are not longer supported.
The dangers are known, but the unpatched vulnerabilities are important. Cyber criminals will regularly look at updates and compare the before and after codes to determine what has been changed. They will then use that information to investigate further to reverse-engineer the patch to find the vulnerability.
Once the hacker has been able to locate the vulnerability, they will then craft and exploit the weak link. Hackers also know that once a patch is released, not everyone will update immediately.