Internet Explorer 9
Despite its bad reputation with earlier versions, IE has become quite a secure browser. Currently, there's only one vulnerability that can, in certain scenarios, be exploited to determine which websites you've visited. This rather old trick involves a non-destructive extraction of browsing history by observing cache timings. An attacker could theoretically find out which websites you've visited recently. The only "protection" is to enable InPrivate Browsing in IE and clear the cache to prevent a website from knowing what sites you've visited recently.
Internet Explorer 8
IE8 has a lot of vulnerabilities, yet most of them require the execution of an unknown file. There's also a little bug that includes the first 63 bytes of a file path when saving HTML websites to a PDF file. This could lead to users reading out system information, such as the user name. This is something you may want to keep an eye on when saving files in IE.
Both PowerPoint and Excel 2007 suffer from a vulnerability that can be exploited using a specifically crafted file to run malicious code. Again, this security hole can only affect users who open files blindly from unknown sources. Microsoft has known about this issue since February 2011.
It's very clear why Microsoft hasn't resolved most of these issues: Rapidly decreasing usage. Add to that the fact that many exploits can only be targeted when a user opens malicious files blindly or leaves his/her PC unattended. Sorry, no business case here, move along.
But overall the landscape of Microsoft's known and unpatched vulnerabilities is good. There are almost no highly critical and widely exploitable flaws in any protect that's still officially supported by the company.