Microsoft isn't kidding when it says that people need to ditch Windows XP and has released alarming security numbers to prove its point. XP systems are indeed markedly more likely to fall prey to malware than later versions of Windows.
According to the firm's SIR (Security Intelligence Report) for the first half of 2013, Windows XP SP3 32-bit suffered a malware infection rate of 9.1 systems per 1,000 computers, which sounds modest until you read that the equivalent number of Windows 7 32-bit was 5.0 and for Windows 8 64-bit it was 1.4.
[ Windows 8 left you blue? Then check out Windows Red, InfoWorld's plan to fix Microsoft's contested OS. | Microsoft's new direction, the touch interface for tablet and desktop apps, the transition from Windows 7 -- InfoWorld covers all this and more in the Windows 8 Deep Dive PDF special report. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]
To eliminate the possibility that this difference was caused by the behaviour of XP users, the firm correlated the number of infections to the encounter rate, in other words the number of systems in each OS version that met malware requiring intervention by Microsoft's security products.
Here, the different incarnations recorded roughly similar encounter rates, with XP at 16.3 percent, Vista at 16.5, Windows 7 at 19.1 percent, and Windows 8 RTM at 12.4 percent. Apart from underlining that Windows 7 is now probably the most targeted OS, it is clear that with Windows XP the ratio of encounters to infections is unflattering.
As the report's authors admit, that XP should be more vulnerable 12 years after its release than newer Windows versions is hardly surprising; malware creators have had longer to craft attacks, spot software flaws, and exploit the weaker security protection in the OS. But the point, Microsoft argues, is that the XP hardcore are taking a risk using the operating system in 2013, something that will only increase as an issue after the end of support in April 2014.
"Computers running Windows XP in 1H13 encountered about 31 percent more malware worldwide than computers running Windows 8, but their infection rate was more than 5 times as high," is the dry but accurate summary from the report authors.
Of course, all of this fits with Microsoft's earnest wish to see the back of XP and shift seats on to Windows 8. The other perspective is that Microsoft has drawn these numbers from its vast global database of systems running Windows operating systems and for this reason the numbers deserve to be taken seriously. Anyone who wants to be frightened some more might want to read a summary of the above points by Microsoft's director of trustworthy computing, Tim Rains.
For firms not able to abandon XP in 2014 for technical reasons (i.e. the need to support inhouse applications), the options are to use XP in a desktop virtualisation environment, adopt a policy of OS isolation (locking down applications, disconnecting USB ports, limiting Internet connectivity) or even buy a probably very expensive third-party support agreement.
One other interesting snippet from the report is the apparently shockfinding that running real-time antivirus software seems to be a good idea, or at least greatly reduces infection rates; malware infection rate is 7.1 times higher for those systems running real-time antivirus compared to those that don't.
This doesn't mean that when antivirus fails, it doesn't fail spectacularly -- and often enough to cause major concern about its effectiveness against targeted attacks -- but does underline that rumours of its imminent death are exaggerated.