In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Malware Infection and encounter rates

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

XP SP2 infection rates

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Average infection rates

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart
MMPC