Microsoft security research paints bleak picture for XP users

The 15th and latest of Microsoft's Security Intelligence Report (SIRv15) has been released. We spoke with Tim Rains, Director, Trustworthy Computing at Microsoft about the results.

There are a lot of periodic threat reports from companies in the security business, but Microsoft's report is based on an probably the broadest set of data in the industry: they gather information from over 100 countries; more than 1 billion systems which use Windows Update, the Malicious Software Removal Tool (MSRT) and Microsoft's free Security Essentials program; more than 400 million Outlook.com accounts and millions of Office 365 accounts; and from the billions of web pages scanned every day by Bing.

Though there is other data in the report, Rains chose to focus this month on the situation as it relates to Windows XP users. Citing third party data, he said that 21% of users are still running Windows XP, which will reach end of life in April 2014, after which no security updates will be issued for it.

As we have noted before, once the last Windows XP patch is issued (likely on April 8, 2014), unpatched vulnerabilities will begin to emerge. Some will have been saved by attackers for the time when there will no longer be a chance for it to be patched. Rains brought up another likely scenario: In subsequent Patch Tuesdays, Microsoft will patch vulnerabilities in Vista and later versions of Windows. Malicious researchers will reverse-engineer these updates, test to see if they affect Windows XP (most will), and write exploits for them targeting XP.

Even before all this happens, the vulnerability situation for XP users is bad compared to later versions of Windows. In the chart below we see two measures, based on data from the MSRT Software Essentials and a few other Microsoft sources: on the left is the number of computers infected with malware, and therefore cleaned of it. On the right is the percentage of systems that encounter or block malware.

There is some variability in the Encounter Rate, but all four Windows versions are fairly close to one another. The infection rate, on the other hand, clearly shows that Windows systems have gotten more resistant to attack over time. At the extreme, Windows XP users are almost six times more likely to become infected with malware as Windows 8 users. Globally, 17% of systems encounter malware.

Why are Windows XP users more vulnerable now? Because Microsoft has steadily incorporated defensive technologies into Windows with each new version. The only major technology XP had was Data Execution Prevention (DEP), and even the implementation of that has improved greatly in subsequent versions. As this next chart shows, the number of disclosed vulnerabilities which bypass DEP in Windows XP has steadily increased over the last few years.

Windows Vista, Windows 7 and Windows 8 all introduce new technologies that may block exploits that would get past DEP.