Has Microsoft just PROVED why you should upgrade from XP?

Filed Under: Featured, Malware, Microsoft, Vulnerability, Windows

Microsoft just published its January-to-June 2013 Security Intelligence Report (SIR).

(Yes, I was surprised at the timing, too, since we're already two thirds of the way through the next reporting period. But there you are, and here it is [PDF].)

I will dutifully declare that I have still to finish reading the report in full.

At 160 pages, even if some of them are blank, or contain corporate boilerplate, I just haven't got through it yet.

But I have read one of Microsoft's recent blog postings about the report, highlighting the part in which rates of malware infection and encounter are compared across the four flavours of client-side Windows: XP, Vista, 7 and 8.

The results seem to tell a pretty clear visual story about why you should get rid of Windows XP as soon as you can:

→ The numbers on the left and right sides can't directly be compared because they've been scaled differently for readability. The infection rate shows computers cleaned up out of every thousand on which Microsoft's Malicious Software Removal Tool (MSRT) was used. The encounter rate shows computers on which malware was detected - and almost certainly prevented from infecting - out of every hundred protected by a Microsoft virus blocker.

The obvious conclusion from the above is that your chance of being exposed to malware, and thus potentially infected if you were unprotected, is similar on all versions of Windows.

Windows 8 users, at first glance, appear to enjoy a slight advantage in exposure rate, with 12/100 computers measured to be actively under attack, against 16/100 or more for the other flavours of Windows.

The SIR doesn't offer an explanation, but we can always speculate:

  • Perhaps more recent versions of Internet Explorer are more likely to prevent you browsing to potentially infectious websites in the first place, thus reducing exposure?
  • Perhaps Windows 8 has stronger internal safeguards against exploits, thus stopping some attacks before they get as far as provoking an anti-virus warning?
  • Perhaps some Windows 8 users made the switch for security reasons, and are therefore less likely to put themselves in harm's way?

Likewise, Windows 7 seems to be at a very slight disadvantage, with 19% of computers visibly attacked, against 16% with XP and Vista.

That might not be a statistically significant difference (nor might the apparent advantage of Windows 8, of course), or it might be a simple side-effect of that fact that Windows 7 is the most prevalent version of Windows.

The most common platform, you can argue, is more likely to be singled out by malware writers who don't want to go to the trouble of building a multi-version exploit.

But the statistical significance of the left-hand numbers seems, at least on the surface, to be undeniable.

When users went to the trouble of looking for malware, presumably because they thought they had slipped up and got infected, they were 5.7 times more likely to find some on XP than on Windows 8.

In short, the apparent conclusion is that XP is more than five times as permeable to malware than Windows 8.

Therefore, you can argue, XP's imminent - and, after 12 years, not exactly unexpected or untimely - Goodbye, Farewell and Amen moment should be applauded, and moving on to a more recent operating system will bring clear and immediate security benefits.

On the other hand, you can keep putting these numbers through the wringer and argue that they don't prove much of anything at all.

For example, the MSRT only deals with a small subset of malware out there - it's always been something of a stopgap measure for the most commonly-known malware families.

In other words, you might choose to explain the lower apparent infection rates on Windows 8 merely as a sign that the MSRT tends to miss more malware on Windows 8, being biased as a side-effect of history to detecting malware that only works on XP.

You can argue that, because the MSRT quite explicitly isn't a broad-spectrum anti-virus, the figures on the left don't denote infection rates at all, but are nothing more than a measure of the effectiveness of MSRT by Windows version.

The truth, I guess, is somewhere between the two.

While XP may not be an ecosytem that is 5.7 times more dangerous than Windows 8, I think it is reasonable to accept that Microsoft's data supports the claim that you are at much greater risk if you keep on using it.

If you need any more evidence, I suggest you take a look at our recent article series Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day.

There, we show the sort of tricks needed to pull off a drive-by exploit against Internet Explorer 9 on Windows 7, which involves working around not only Data Execution Prevention (DEP), but also Address Space Layout Randomisation (ASLR).

Without ASLR, DEP offers only a very mild extra resistance to attack - and XP doesn't have ASLR.

That alone is probably reason enough to move before next April's end-of-updates deadline.

, , , , , , , , ,

You might like

16 Responses to Has Microsoft just PROVED why you should upgrade from XP?

  1. brian Read · 706 days ago

    Could you derive your own graph, based on Sophos statistics? They perhaps would be a more valid assessment of the "danger" of XP?

    I can say that I am having more success moving my friends and family to Linux (Ubuntu normally) as a result of Microsoft's decision to end support for XP, than I ever did just explaining the issues to them!

    • Paul Ducklin · 706 days ago

      I was wondering that...but I doubt the results would be worth it.

      That's because we sell almost exclusively into the government/education/business markets. We don't have consumer products for sale, so our encounter rates would reflect organisations, not all of whom like to submit telemetry data anyway.

      But our infection rates *would* reflect the consumer market, probably quite strongly, because that seems to be where our free Virus Removal Tool is most widely used:


      (Unlike the MSRT, our VRT has exactly the same detection and cleanup data as our full products, so the measurements would at least be more consistent in what was covered.)

      Nevertheless...it might be interesting to take a look.

      OTOH, we're already convinced that you ought to move from XP, even without the "infection rate" data.

      We know full well, from our experience in SophosLabs (and see that "Anatomy of an Exploit" paper mentioned above) that exploiting XP is generally a lot easier than any other Windows version.

      When XP stops getting security patches, that gap will widen, and surely just keep on widening...

      PS. I'm glad you spotted than "upgrading from XP" doesn't just mean "get a more recent version of Windows" :-)

  2. WB1 · 706 days ago

    Since this is MS doing the reporting, it's not going to contain the information, but I do wonder what the rates for Linux and Mac OS X look like compared to these. Does anybody do the same type of thing for those OSes? Could the data compare so there is a fair comparison?

    • Paul Ducklin · 706 days ago

      My gut feelings (but correct me if I am wrong!) are that:

      * Most malware-related attacks on Linux are on the server side. Linux server admins have traditionally disavowed anti-virus, even though Linux servers are a big part of the malware _distribution_ problem, mostly to Windows users, so I just don't think there'd be enough telemetry data to reach a useful conclusion.

      (If you want proof that upgrading on Linux is important, though, read our recent piece on WordPress 3.7 and its new autoupdate feature:

      * Mac malware is, thankfully, rare enough to give the same problems of statistical significance in the version-by-version infection rate data.

      (Also, Apple has, for some time, only supported back to OS X 10.6, which is much more modern compared to 10.9 than XP is to Windows 8, so there isn't really an widely used OS X version of XP's ilk that is about to become unsupported.)

  3. billboe · 706 days ago

    I believe the chart on the left is more reflective of the quantity of PCs running those operating systems and the maturity of the malware targeted towards it than it is an indicator of the risk of malware by platform. A strict quantities chart just isn't meaningful enough without contrasting it with the quantity of PCs running that operating system and deriving a percentage per instead (a la the right side chart).

  4. Oh yes, let's all run out and buy the latest windows. Oh wait, it won't run on this hardware. Darn, guess I'll have to stick with XP. Even if Win 8 would run on this, there are no drivers for some of the hardware. I'm not interested in paying more than the computer is worth to 'upgrade' the operating system.

    • Spryte · 706 days ago

      That was my issue to...
      Did a lot of linux distro hopping to find one that would work on my aging desktop.

    • Boom · 705 days ago

      I tried going to Linux but it took way to much time figuring out which distro fit my needs then I realized that none of my software from XP will work. I finally made a few short term sacrifices (saved money) and bought Windows 7 which I am very happy with.

  5. W. Wheatley · 706 days ago

    I have no interest in "upgrading" to Windows 8. My computers run Windows 7 except for one laptop, which still runs XP. The last time I tried to change windows version on a computer was a disaster. It would be cheaper to buy a new laptop, then migrate the application software from the old laptop to the new one.

  6. gadget37 · 706 days ago

    What about all the old software and hardware which still doesn't work on Windows 8.1 ?

  7. brianc6234 · 706 days ago

    It would be smart to upgrade from XP now. But don't bother buying a new computer. Just install a free copy of Linux. Microsoft really just wants millions of copies of Windows 8 sold. Too bad Apple won't make a version of OS X for non-Apple computers.

  8. NoSpin · 705 days ago

    I say don't upgrade to Windows 8, upgrade to Linux.

  9. Andy · 705 days ago

    IT seems to me it does not really matter what windows operating system or any other system you have, somewhere along the line the system is going to get infected , otherwise there would be no need of virus checkers. It may be best to go back to pen and paper.

  10. J.G.Frajkor · 705 days ago

    Hackers and crooks have had 12 years to exploit XP, see how its defences work, and think up new ways to get past that. They haven't had enough time yet to exploit the Win 7 and 8 platforms. Windows is not going to tell you that in the long run, 7 and 8 will be just as wonky as 95, 98, 2000, Vista. -- etc.
    Have you heard Chrysler tell you that the 1960s Dodge Dart with a slant-6 engine is a better car than what they make today? Go ahead, show me the ads. But any good mechanic will tell you the truth.
    Personally, I used 95 until XP came along, ignoring all in between and avoiding the 2000 disaster. I will use XP until I finish installing Mint (likely the Debian-based Mint rather than Ubuntu Mint ) and I bet I will not even need to know whether 7,8,or 9 were any better than XP.

  11. Osama S. · 705 days ago

    Any conclusions in terms of caparison will be inconclusive since it does not take the user context into consideration. People that are still running Windows XP might just be people that are not tech savvy and barely can keep a computer running as is. If you could get results from Windows XP and Windows 7 machines owned and used by the same person, that would be a different story. Or you need to conduct some comparisons in a controlled lab environment.

  12. Matthew W · 705 days ago

    They'll have to pry my XP from my cold, dead hands !!!
    LOVE IT !!

    I am still very "unfond" of both 7 and 8.

    Im my opinion, most people that that get infected cause it them selves !!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog