Microsoft security research paints bleak picture for XP users

Summary:The latest security threat report from Microsoft shows the outlook for Windows XP users is getting grimmer. Things are bad, getting worse, and in six months the trouble really starts.

The 15th and latest of Microsoft's Security Intelligence Report (SIRv15) has been released. We spoke with Tim Rains, Director, Trustworthy Computing at Microsoft about the results.

There are a lot of periodic threat reports from companies in the security business, but Microsoft's report is based on an probably the broadest set of data in the industry: they gather information from over 100 countries; more than 1 billion systems which use Windows Update, the Malicious Software Removal Tool (MSRT) and Microsoft's free Security Essentials program; more than 400 million Outlook.com accounts and millions of Office 365 accounts; and from the billions of web pages scanned every day by Bing.

Though there is other data in the report, Rains chose to focus this month on the situation as it relates to Windows XP users. Citing third party data, he said that 21% of users are still running Windows XP, which will reach end of life in April 2014, after which no security updates will be issued for it.

As we have noted before, once the last Windows XP patch is issued (likely on April 8, 2014), unpatched vulnerabilities will begin to emerge. Some will have been saved by attackers for the time when there will no longer be a chance for it to be patched. Rains brought up another likely scenario: In subsequent Patch Tuesdays, Microsoft will patch vulnerabilities in Vista and later versions of Windows. Malicious researchers will reverse-engineer these updates, test to see if they affect Windows XP (most will), and write exploits for them targeting XP.

Even before all this happens, the vulnerability situation for XP users is bad compared to later versions of Windows. In the chart below we see two measures, based on data from the MSRT Software Essentials and a few other Microsoft sources: on the left is the number of computers infected with malware, and therefore cleaned of it. On the right is the percentage of systems that encounter or block malware.

encounter-infection-rates
Windows XP users are many more times as likely as Windows 8 users to be infected by malware- source: Microsoft

There is some variability in the Encounter Rate, but all four Windows versions are fairly close to one another. The infection rate, on the other hand, clearly shows that Windows systems have gotten more resistant to attack over time. At the extreme, Windows XP users are almost six times more likely to become infected with malware as Windows 8 users. Globally, 17% of systems encounter malware.

Why are Windows XP users more vulnerable now? Because Microsoft has steadily incorporated defensive technologies into Windows with each new version. The only major technology XP had was Data Execution Prevention (DEP), and even the implementation of that has improved greatly in subsequent versions. As this next chart shows, the number of disclosed vulnerabilities which bypass DEP in Windows XP has steadily increased over the last few years.

vulnerabilities-which-bypass-DEP-in-XP
The number of CVEs for which exploits were written that could have been mitigated by enabling DEP as compared to the number of CVEs that had exploits that bypassed DEP. (source: Microsoft)

Windows Vista, Windows 7 and Windows 8 all introduce new technologies that may block exploits that would get past DEP.

Topics: Security, Windows

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.