Microsoft sticks to vow, leaves XP exposed to ongoing attacks. Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP, Microsoft and outside security experts said. The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to the update. “Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer,” the bulletin stated. But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.