Microsoft security research paints bleak picture for XP users

Microsoft security research paints bleak picture for XP users

Summary: The latest security threat report from Microsoft shows the outlook for Windows XP users is getting grimmer. Things are bad, getting worse, and in six months the trouble really starts.

TOPICS: Security, Windows

The 15th and latest of Microsoft's Security Intelligence Report (SIRv15) has been released. We spoke with Tim Rains, Director, Trustworthy Computing at Microsoft about the results.

There are a lot of periodic threat reports from companies in the security business, but Microsoft's report is based on an probably the broadest set of data in the industry: they gather information from over 100 countries; more than 1 billion systems which use Windows Update, the Malicious Software Removal Tool (MSRT) and Microsoft's free Security Essentials program; more than 400 million accounts and millions of Office 365 accounts; and from the billions of web pages scanned every day by Bing.

Though there is other data in the report, Rains chose to focus this month on the situation as it relates to Windows XP users. Citing third party data, he said that 21% of users are still running Windows XP, which will reach end of life in April 2014, after which no security updates will be issued for it.

As we have noted before, once the last Windows XP patch is issued (likely on April 8, 2014), unpatched vulnerabilities will begin to emerge. Some will have been saved by attackers for the time when there will no longer be a chance for it to be patched. Rains brought up another likely scenario: In subsequent Patch Tuesdays, Microsoft will patch vulnerabilities in Vista and later versions of Windows. Malicious researchers will reverse-engineer these updates, test to see if they affect Windows XP (most will), and write exploits for them targeting XP.

Even before all this happens, the vulnerability situation for XP users is bad compared to later versions of Windows. In the chart below we see two measures, based on data from the MSRT Software Essentials and a few other Microsoft sources: on the left is the number of computers infected with malware, and therefore cleaned of it. On the right is the percentage of systems that encounter or block malware.

Windows XP users are many more times as likely as Windows 8 users to be infected by malware- source: Microsoft

There is some variability in the Encounter Rate, but all four Windows versions are fairly close to one another. The infection rate, on the other hand, clearly shows that Windows systems have gotten more resistant to attack over time. At the extreme, Windows XP users are almost six times more likely to become infected with malware as Windows 8 users. Globally, 17% of systems encounter malware.

Why are Windows XP users more vulnerable now? Because Microsoft has steadily incorporated defensive technologies into Windows with each new version. The only major technology XP had was Data Execution Prevention (DEP), and even the implementation of that has improved greatly in subsequent versions. As this next chart shows, the number of disclosed vulnerabilities which bypass DEP in Windows XP has steadily increased over the last few years.

The number of CVEs for which exploits were written that could have been mitigated by enabling DEP as compared to the number of CVEs that had exploits that bypassed DEP. (source: Microsoft)

Windows Vista, Windows 7 and Windows 8 all introduce new technologies that may block exploits that would get past DEP.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Very redundent news

    I think its been talked to death that XP is a security issue. Let's not forget the age of this OS and that since Vista Windows has become a much more secure OS. I am not even sure how many XP users have valid copies running on their PC's? Do they even update them? You know, in the end you also have to look at the browser issues Microsoft created with XP. You cannot even run a modern Internet Explorer on the OS. If more XP users ran Chrome or Firefox, I think you would find at least some reductions in malware. The question really becomes, what happens to XP when Microsoft drops support next year?
    • Other browsers

      Both Chrome and Firefox will be supported on XP for at least a while after end of life. Personally, I think this is a mistake. They'll find themselves supporting a product in an increasingly unsupportable environment. Clearly you'd be nuts to run IE on XP after April (actually, even now), but running other browsers won't matter much. Remember there are plenty of basic system services which Firefox and Chrome rely on which won't be updated. Chrome uses Windows Crypto; the Windows certificate store won't be updated anymore, so SSL in Chrome could easily become unreliable.
      • No need to despise your older computer...

        ...keep it and install Linux on it.
        Napoleon XIV
        • Linux

          Wow ... only 3 messages into the thread, too! It usually takes 10 or 15 before someone comes trolling about that!
          Max Peck
          • no, you counted it wrong

            yours was #4.
          • Count

            LOL ... I just couldn't resist. No foul meant here, I just was amused at how quickly a Windows discussion was invaded by a Linux comment that's all. :)
            Max Peck
          • so where is the problem

            this is natural way how IT discussion goes. of course it ends with linux. there is nothing else viable as an option.
          • Not really a troll

            Typical home machine that would still have XP is not being used by a "power user", and multiple Linux based desktop OSes are easier to adjust to than would be the case for Windows 8.x, and the hardware requirements may be more modest too. A good example is Mint running the Cinnamon desktop--it is more "XP-like" than Windows 8 and can can work fine for all basic web browsing, email, word processing and spreadsheets. I have personally seen this--I could not get seniors to adjust to a Windows 8 machine so instead of replacing the XP machines with noew ones we instead upgraded to Linux--it was cheaper and they found it easier to learn/navigate.

            The people in most serious trouble however are the smaller enterprises who have neglected their IT for a log time to save costs. Some of these businesses could be ruined because of this bad decision. Cost of PC replacement isn't even the problem either--the killer is actually "line of business apps"--the custom and niche-market software tuned specifically to their business. Typical are the apps written in VB6 or using a pseudo-web interface built for IE6 comprising of web pages made up of all ActiveX controls, or perhaps Visual FoxPro database apps. Migrating to Windows is just as hard as to Linux in these cases, and both are painful options.

            Then there are the factories that have outdated automation software running their production lines, where the software is often locked into windows and upgrading might even involve upgrading PLCs and so on. This software costs 1000 to 10000 percent of what Windows OS costs (as in thousands or tend of thousands instead of hundreds), and the costs of engineers to help upgrade cost even more. Linux migration or new windows, either way this scenario can and will kill businesses.
            Mark Hayden
          • And Linux helps how?

            For a business running PLC's, most older systems are either so old they need DOS (Toshiba EX), able to run in a Window XP virtual machine (Siemens S5, AB PLC-5) or upgraded to use Windows 7 (most less-than-15-year-old PLC's).
            Linux offers exactly nothing to fix any of these scenarios, no major PLC manufacturer to my knowledge supports Linux (or OS-X for that matter). It's the same for line-of-business applications, why would you re-write from ground up for Linux when it might only be a fraction of the work to re-write for Windows 7. In fact, if the problem is really that big then an XP virtual machine would likely still be a better option than Linux.
            As for your desktop migration to Linux, did you actually hang around long enough to see how all your seniors coped when they couldn't get their familiar Windows programs to run in Linux?
            Sometimes I think the advocates of Linux think they have a solution - the only problem is that there's really no problem they have to solve.
          • You're not mentioning Stuxnet? Now there's Windows in action.

          • Seniors

            If they can't run their apps on Linux, do you really believe that they can run Win8 at all? I can figure it out and what I can't, I can find on-line. Most people are thrown by the interface change, though. So older people may tend to have a hard time. The reality is that Linux will do what most users need it to do, with less security issues than Windows. Even if that's only because it's a less attractive target, which I doubt, it's still a viable option.

            As for the vulnerability of XP once MS stops supporting it (which isn't unreasonable for a 13 year old OS or even 7 years based on the last time it was the latest Windows version), I find it odd that no one questions that this is a MS study. It may be accurate, but obviously the company has a vested interest. Especially since the viability of 8.x is still very much up in the air.

            I'd also point out that many of the security issues are addressed by third party security software that can be used to protect the system, even from the carelessness of users. Where often the greatest risk lies (Malwarebytes for example, blocks access to Web pages it considers suspect). I'm not saying that running XP past April 2014 doesn't create more potential for infection. But I wonder if in the final analysis, much of it isn't marketing, if the system is properly safeguarded. After all, it's been about over 20 years since I trusted MS to secure my system. For *any* version of Windows
          • [...]I find it odd that no one questions that this is a MS study.

            THANK YOU MDSOCK! I was wondering how long I needed to scroll to find someone with the common sense to call out the sources of this case study.

            Also, I'm in agreement about Microsoft and security. Except that I haven't trusted them in security since ever, even going way back to the DOS days.
          • of course

            no one with decent knowledge of IT (i say decent, not even professional) and with experience from DOS days (like you and me) would never ever trust ms.
          • Interesting points ...

            After recently helping a friend clean his main office computer (running Windows 7 and using Windows' built in security) of two Trojans than had infected it and cleaning a second office computer (using Windows 8 and its Windows security) of some malware that had hijacked its Internet Explorer, I question some of the hypotheses and conclusions projected by this article. For having been around, what ..., 13 years compared to the short lives of the other versions (and discounting Vista's low number secondary to it being such a dog that many users have moved on), I'm surprised that the infection rate of XP isn't higher and have a suspicion that it's only a matter of time before Win 7 catches up. Whether Win 8 will catch up with XP's infection rate might very well depend on whether it's widely accepted by the public. I haven't had an infection with XP on any computers using a 3rd party security suite, and not one of the two popular dogs, McAffee and Norton. I would never trust a computer to Windows security which I fear many people do regardless of version. Just curious, what would be the security effect of running XP, or any version of Windows, within a Virtual machine within Linux, such as Oracle's Virtual Machine software or Virtual Box software? I will add that I used Windows Defender Offline to fix the Trojans and it worked extremely well.
          • you hallucinate

            if you don't see the problem, it's only because ms brainwashed you to the point where you see no problem with:
            1. no security at all
            2. crashing and data losing
            3. ms dictating you when you buy new computer
            4. ms making fool of you by changing desktop all the time

            of course normal person would consider these things as problem...
          • Now this is a real troll message..

            No point to it, just a way to slam, not microsoft, but anyone that uses Microsoft OSs. way to go.. and all of this is bull anyway.. oh, yeah, the hackers are saving up the expoits so they can attack the less than 20% of the XP machines that will be left by April.. and they are all at high end targets too.. if they are doing all of that to try to get to Grandma's $500.00 Social security Check.. they are more pitiful that you are.
          • VM, sure, but......

            Machines that still require DOS, DOSBox. Programs that ran on XP, WINE. We Linux advocates do have a solution. In a handful of extreme cases it might take a Linuxer to adjust the programming to fit a particular purpose, I assure you it can, and has, been done.

            As far as seniors go, I have migrated a few myself to Linux from XP with great success, yes I do check in with them on their progress. Most seniors use their computers to surf the internet, maybe Skype with the family, or play some flash/java based online games.
          • it has every thing

            well every single program for windows more or less runs on linux i have my favourite office suite(kingsoft) , video editer,picture editer,pdf editer video player i also ran star craft 2 on it
          • Upgrading from XP

            True enough. I've been in a number of medical offices of late and have observed that some pretty large operations are still dependent on XP-based systems, many of them with HUGE infrastructure. While XP certainly is a little bit "long in the tooth" as far as technologists (and salesmen) are concerned it is a hard sell to any large organization that they are going to have to incur the massive costs of ripping out a large infrastructure and "upgrading" it just so they can keep up with this industry. Many of these installations "just work" and they have IT departments all cattle-bred and trained to work with them. Smaller operations like mine? Not really a problem, however I'm quickly reaching the point with Microsoft's schizophrenic behavior of late that I'm just going to hunker down and stay with what I have for awhile.
            Max Peck
          • Well the problem with Foxpro applications and

            probably VB applications has more to do with 16 bit versus 32 bit not XP versus Win 8 or Win 7. I had no problem running VFP in 64 bit but did have a problem with 16 bit Foxpro for Windows 2.6.