Windows XP Malware: 6X As Bad As Windows 8 - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture

Windows XP Malware: 6X As Bad As Windows 8

WinXP is already an easy target for hackers, and it will get even simpler once Microsoft ends support for the 12-year-old OS in April.

Need another reason to quit Windows XP before Microsoft ends support for the operating system in six months? Then consider that real-world Windows XP systems already sport a much higher rate of malware infections than Microsoft's more recent operating systems.

"Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate," Mike Reavey, Microsoft's Trustworthy Computing general manager, said in a keynote presentation at this week's RSA Conference in Amsterdam. Those statistics were gathered from real-world systems. "There are over one billion Windows machines online and we can use them to track malware," he said.

Overall, Windows XP and Vista systems each encounter about 16% of all malware that's in the wild, which puts them slightly behind Windows 7 (19%) but ahead of Windows 8 (12%), according to Microsoft. Yet for every 1,000 computers scanned, an average of 9.1 Windows XP SP3 machines were malware-infected, which is nearly double the infection rate for Vista SP2 (5.5 infected machines per 1,000) and Windows 7 SP1 (4.9 machines), and almost six times the infection rate of Windows 8 RTM (1.6 machines).

Note that the Windows XP machine count refers to Service Pack 3 installations. For its predecessor, SP2, the malware infection rates were 66% higher than for SP3.

[ Is your BYOD program putting your network at risk? Learn more about Catching Mobile Malware In The Corporate Network . ]

The marked decrease in infection rates for later-generation versions of Windows is a sign that Microsoft's 2004 about-face on software security and focus on bringing Secure Development Lifecycle (SDL) practices to bear on its software development has been working. "The downward rate is a sign of secure development practices," Reavey said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."

But as Microsoft counts down to April 2014, when it plans to end Windows XP support, the company is highlighting the information security shortcomings of aging versions of Windows as one more reason for customers to upgrade. "Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms," Tim Rains, the company's director of Trustworthy Computing, said in a related blog postTuesday. "While we are proud of Windows XP's success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals."

Once Windows XP stops receiving security updates, Microsoft expects the security situation to degenerate further. "On April 8, 2014, support will end for Windows XP," Rains said. "This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. After end of support, attackers will have an advantage over defenders who continue to run Windows XP."

To date, however, despite the additional security protections afforded by later-generation versions of Windows, many businesses and consumers are sticking with the 12-year-old operating system. Indeed, as of September 2013, Windows XP remained installed on 21% of PCs worldwide, and 15% of PCs in North America, according to Web analytics company StatCounter.

Currently, zero-day vulnerabilities that affect Windows XP are fetching a relatively low price -- $50,000 to $150,000 -- compared to more recent-generation Windows operating systems, because Microsoft has been patching those vulnerabilities in a relatively short timeframe, according to security expert Jason Fossen, who works at the SANS Institute.

But expect the weaponized exploit economy to change come April, when Microsoft ceases patching XP. That's because Microsoft's continued patching of its newer operating systems will give would-be XP attackers the equivalent of CliffsNotes for targeting the older OS. "After April next year, when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Microsoft's Rains. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll