Windows XP Malware: 6X As Bad As Windows 8 - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Enterprise Architecture

Windows XP Malware: 6X As Bad As Windows 8

WinXP is already an easy target for hackers, and it will get even simpler once Microsoft ends support for the 12-year-old OS in April.

Need another reason to quit Windows XP before Microsoft ends support for the operating system in six months? Then consider that real-world Windows XP systems already sport a much higher rate of malware infections than Microsoft's more recent operating systems.

"Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate," Mike Reavey, Microsoft's Trustworthy Computing general manager, said in a keynote presentation at this week's RSA Conference in Amsterdam. Those statistics were gathered from real-world systems. "There are over one billion Windows machines online and we can use them to track malware," he said.

Overall, Windows XP and Vista systems each encounter about 16% of all malware that's in the wild, which puts them slightly behind Windows 7 (19%) but ahead of Windows 8 (12%), according to Microsoft. Yet for every 1,000 computers scanned, an average of 9.1 Windows XP SP3 machines were malware-infected, which is nearly double the infection rate for Vista SP2 (5.5 infected machines per 1,000) and Windows 7 SP1 (4.9 machines), and almost six times the infection rate of Windows 8 RTM (1.6 machines).

Note that the Windows XP machine count refers to Service Pack 3 installations. For its predecessor, SP2, the malware infection rates were 66% higher than for SP3.

[ Is your BYOD program putting your network at risk? Learn more about Catching Mobile Malware In The Corporate Network . ]

The marked decrease in infection rates for later-generation versions of Windows is a sign that Microsoft's 2004 about-face on software security and focus on bringing Secure Development Lifecycle (SDL) practices to bear on its software development has been working. "The downward rate is a sign of secure development practices," Reavey said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."

But as Microsoft counts down to April 2014, when it plans to end Windows XP support, the company is highlighting the information security shortcomings of aging versions of Windows as one more reason for customers to upgrade. "Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms," Tim Rains, the company's director of Trustworthy Computing, said in a related blog postTuesday. "While we are proud of Windows XP's success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals."

Once Windows XP stops receiving security updates, Microsoft expects the security situation to degenerate further. "On April 8, 2014, support will end for Windows XP," Rains said. "This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates. After end of support, attackers will have an advantage over defenders who continue to run Windows XP."

To date, however, despite the additional security protections afforded by later-generation versions of Windows, many businesses and consumers are sticking with the 12-year-old operating system. Indeed, as of September 2013, Windows XP remained installed on 21% of PCs worldwide, and 15% of PCs in North America, according to Web analytics company StatCounter.

Currently, zero-day vulnerabilities that affect Windows XP are fetching a relatively low price -- $50,000 to $150,000 -- compared to more recent-generation Windows operating systems, because Microsoft has been patching those vulnerabilities in a relatively short timeframe, according to security expert Jason Fossen, who works at the SANS Institute.

But expect the weaponized exploit economy to change come April, when Microsoft ceases patching XP. That's because Microsoft's continued patching of its newer operating systems will give would-be XP attackers the equivalent of CliffsNotes for targeting the older OS. "After April next year, when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP," said Microsoft's Rains. "If they succeed, attackers will have the capability to develop exploit code to take advantage of them."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
sjacks98202
50%
50%
sjacks98202,
User Rank: Apprentice
11/2/2013 | 1:59:59 AM
re: Windows XP Malware: 6X As Bad As Windows 8
Locking down systems e.g. softeware install policies, no user admin login, no local admin, change flash, browser, et al login to least privileged (not system), and other good security policy goes a long way but you will get push back from "power lusers" (c.f. Vista). Users get ticked off when autorun or upnp is turned off, have to wait for their USB key is scanned.

We've setup XP embedded systems using "Syslogon" (basically user logs on as system early in the boot process)(does.not load winlogon baggage) and as configured withstood attacks that hacked Win7.
mak63
50%
50%
mak63,
User Rank: Ninja
11/2/2013 | 8:44:36 PM
re: Windows XP Malware: 6X As Bad As Windows 8
I agree with the last part of your comment a 100 %
mak63
50%
50%
mak63,
User Rank: Ninja
11/2/2013 | 8:48:12 PM
re: Windows XP Malware: 6X As Bad As Windows 8
April 8, 2014 will be known as Doomsday XP. Quoting the great Nibbler, "the universe is doomed, doomed"
jimbo0117
50%
50%
jimbo0117,
User Rank: Strategist
11/4/2013 | 2:41:11 PM
re: Windows XP Malware: 6X As Bad As Windows 8
Why is this still news? How many years now has MS been giving notice that people need to get off of XP?
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
11/5/2013 | 12:21:51 PM
re: Windows XP Malware: 6X As Bad As Windows 8
And how many years did users ignore that self-serving advice and stuck with XP? XP might not be the most secure OS, but it is secure enough and does the trick using hardware that works well. Throughout the years additional measures added the security that XP lacks. Moving to Win7 and especially Win8 is for many only an expense with zero benefit because they will only accomplish exactly as much as with XP and potentially even less. Also, Microsoft was incredibly successful in breeding the IE6-only web app ecosystem. That is the core reason why people stick with XP. Maybe Microsoft needs to build an ++berquirks mode that makes IE11 misbehave like IE6. And even then, upgrading Windows just costs too much.
<<   <   Page 2 / 2
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll