Microsoft: Windows XP malware infection rate nearly six times higher than Windows 8

Microsoft really wants Windows XP owners to realize that there is a serious threat in the continued use of the 12 year old OS which will see its support end on April 8th. In the company's latest version of its Microsoft Security Intelligence Report, it goes over some new statistics that show Windows XP is still a big target for malware.

Neowin got a chance to chat with Holly Stewart,the Senior Program Manager of the Microsoft Malware Protection Center, on Monday, prior to today's release of the new report. Stewart went over several bullet points in their study with us, including one that the company has never released in previous versions. The new section deals with the malware encounter rate among currently supported Windows operating systems (Windows XP SP3, Windows Vista SP2, Windows 7 SP1 and Windows 8 RTM). As you can see in the chart above, the malware encounter rate for Windows XP is actually lower than Vista or 7 and only a few percentage points higher than Windows 8.

However, the chart next to the malware encounter rate shows the actual infection rate among those same operating systems, and that's a totally different story. Windows XP's rate is 9.1 computers cleaned of malware per 1,000 PCs scanned. That's well above the 5.5 and 4.9 scores given to Windows Vista and Windows 7, receptively, and nearly six times higher than the 1.6 score for Windows 8.

Stewart told Neowin that Windows XP is still installed on 21 percent of all PCs worldwide, which means that over 2 out of 10 PCs are still running the OS. When we asked what the percentage was just in the US, Stewart told us that Windows XP was still being used by over 13 percent of all PCs in the country; which is still a huge amount for a 12 year old operating system.

We also asked Stewart how she felt about the recent announcements from Google and Mozilla stating they would continue to support their Chrome and Firefox web browsers, respectively, for Windows XP beyond Microsoft's April 8th cut off date. Stewart told us that while software companies can continue to support their products on Windows XP, the fact is that the OS will still remain vulnerable to malware once the April 8th cut off date is reached.

In fact, in another portion of the same report, Stewart told us that PCs that run Windows XP SP2, which is no longer supported, have a malware infection rate that is 66 percent higher than Windows XP SP3. Add it all up and it's clear that people and companies that are still running Windows XP need to upgrade to a newer version of Windows or else they significantly increase their exposure to malware.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

GTA V iFruit app finally launches for (some) Android devices

Next Story

Official Neowin apps now available for Windows Phone and Windows 8.1

80 Comments

Commenting is disabled on this article.

Geezy said,
Wow I didn't know Windows 8 had so much malware...

Where there are users you will always have malware. You can only do so much to help people but some will click things anyway..

I say bull pucky!

This is just a scare tactic to get people to upgrade. Besides, it should be higher, even if that's not a good thing, being as XP is still so much more popular/used.

Athlonite said,
One would think that after having 12 bloody years Microsoft could have made XP uber secure by now it just boggles the mind

Um, they did make it secure. It was called Vista.

Athlonite said,
no they just made it to much of a pig OS to try and run malware on

It pretty obvious you're not a developer, so let me clarify that for you. To make XP as secure as Windows Vista, 7, and 8 are today would require massive changes, both on stage and under the hood. For those that relied on XP, that would have created a support nightmare (as it did for Vista) because those changes would have broke a lot of things (they did on Vista).

It is impossible to provide XP with these kinds of changes.

******** they've had a decade to get it right and haven't managed to do so and still haven't managed it even with windows 7/8/8.1 there are just far to many holes for hackers to poke sticks into and yes users being dumb can also be blamed... and no I'm not a dev I'm just a poor lowly tech support guy with the unenviable task of cleaning up the mess that sneaks in through a hole or by the welcoming hand of a stupid user most of whom I do try hard to educate but some are just to stupid to learn so they get extra high bills

Athlonite said,
******** they've had a decade to get it right and haven't managed to do so and still haven't managed it even with windows 7/8/8.1 there are just far to many holes for hackers to poke sticks into and yes users being dumb can also be blamed... and no I'm not a dev I'm just a poor lowly tech support guy with the unenviable task of cleaning up the mess that sneaks in through a hole or by the welcoming hand of a stupid user most of whom I do try hard to educate but some are just to stupid to learn so they get extra high bills

So you're blaming Microsoft for holes in what sounds like user error, and third party programs? Microsoft can only do so much to secure their code, and they've done a helluva job. The holes in Windows are minimal. There's not much they can do for the likes of Adobe or Java, which continue to reek of rotten trash.

eilegz said,
....

try again.
Works fine on old hardware. Even the AMD CPUs.
Tons of neowinians will tell you how to optimize 7/8.1 for old hardware.
Just troll a little and they'll be all over you.

deadonthefloor said,

try again.
Works fine on old hardware. Even the AMD CPUs.
Tons of neowinians will tell you how to optimize 7/8.1 for old hardware.
Just troll a little and they'll be all over you.

Running windows 7 on 1gb of ram and (assuming) a p4 processor is kinda like picking your nose in public: you can do it, but it ain't gonna be pretty.

At my place of work we upgraded to Windows 7 but due to budget restrictions, it was not possible to upgrade hardware. From my personal experience, Windows 7 on low end hardware sucks. After our hardware upgrade everything was very smooth and our clients were happy.

I would give them an efficient Linux distro, make sure their printers and such work with it, give it a windows Xp/7 theme and be done. Especially those who use their pc just for facebook and email, should work fine.

Sadelwo said,
.... should work fine.

Until they go out and buy a piece of commercial software and wonder why they can't install it, like a tax program.

I'm a huge Linux evangelist, but really, don't force Linux on someone. Just take them to get a new computer running Windows 7 or 8.1.

FUD in action.

and btw, it is pretty douche from part of MS how is pushing the "Secure" boot with Windows 8.1

Secure boot does not protect our information, neither our boot.

nothing like a little care to force people to Buy Win8.

if you don't buy Win8/8.1.. little green monster IT techs are gonna creep out from under your bed and clean install windows 8/8.1...
NNNNNNNNNnnnnnnnnnnnnoooooooooooo! not that!?!

Boo! LOL.... in this global economy, people use what they can afford.

Xenomorph said,
It would be nice if companies actually fixed old products instead of always pushing people to new products.

Microsoft has supported XP for the last *THIRTEEN* years. What more do you want?

for them to have atleast made it uber secure by now shoot how long should it take to patch all the bugs n holes just aswell MS don't operate a bank hmmmm

Athlonite said,
for them to have atleast made it uber secure by now shoot how long should it take to patch all the bugs n holes just aswell MS don't operate a bank hmmmm

What?

People still using XP are also more likely to be unsavvy users. I'm sure they're the most likely folks to punch the monkey, wonder what that "one odd trick to burn belly fat" is, and try to find out "what car insurance companies don't want you to know."

The trouble with UAC is so many people just click yes to absolutely anything that pops up, usually without even reading what it says and if they do read it they don't know what it means. I'm sure it helps but as long as people have the ability to install things on their own computers they can and will install malware without a care. Got to have those great coupon toolbars and free dancing monkey screensavers after all.

TRC said,
The trouble with UAC is so many people just click yes to absolutely anything that pops up, usually without even reading what it says and if they do read it they don't know what it means. I'm sure it helps but as long as people have the ability to install things on their own computers they can and will install malware without a care. Got to have those great coupon toolbars and free dancing monkey screensavers after all.

Do they? Then why is it working?

My dad always clicks 'no' automatically now and just asks me about it later. I basically have very little support work since XP was purged from their house

I find it interesting Windows 7 scored better than Vista even though Vista has the more oppressive UAC. It could be a physiological thing that if the dialog is less common, people will notice it more.

dangel777 said,

My dad always clicks 'no' automatically now and just asks me about it later.

You have trained him well.

dangel777 said,

Do they? Then why is it working?

My dad always clicks 'no' automatically now and just asks me about it later. I basically have very little support work since XP was purged from their house

Sounds like my 75 year old mother. Anything she's unsure of - links in emails, update messages, you name it - she waits until she can ask me about it. She's had a personal computer since 1997 and has never been infected, since she knows to be cautious.
Having 2 sons in IT doesn't hurt, either.

I will be really happy when MS removes the desktop in the future versions of Windows. The average user is way too stupid to handle the desktop. They just have to click everything. No more "MY COMPUTER IS BROKEN, HAAAALPP!!!!one!" calls from family members, no more malware cleaning, removing countless toolbars, etc.

Doomguy- said,
I will be really happy when MS removes the desktop in the future versions of Windows. The average user is way too stupid to handle the desktop. They just have to click everything. No more "MY COMPUTER IS BROKEN, HAAAALPP!!!!one!" calls from family members, no more malware cleaning, removing countless toolbars, etc.
We're so far away from that you're going to be waiting a while.

Doomguy- said,
I will be really happy when MS removes the desktop in the future versions of Windows. The average user is way too stupid to handle the desktop. They just have to click everything. No more "MY COMPUTER IS BROKEN, HAAAALPP!!!!one!" calls from family members, no more malware cleaning, removing countless toolbars, etc.

not sure if "stupid" is the word for it. Are you stupid because the average person can't do a cardiac surgery and cardiopulmonary bypass technique? No. This just means you have no training in the area. Most people have no desire to learn to be computer savvy. To them, they just want it to work with having to know the back end.

Doomguy- said,
I will be really happy when MS removes the desktop in the future versions of Windows. The average user is way too stupid to handle the desktop. They just have to click everything. No more "MY COMPUTER IS BROKEN, HAAAALPP!!!!one!" calls from family members, no more malware cleaning, removing countless toolbars, etc.

Get those people an RT tablet. Even though it's got the Windows desktop, you can hardly get infected through it...

rippleman said,
....

This takes me back to the driving analogy used in another post.
If you want to be on the highway there are some rules of the road.
Learning the rules and basic inspection. That is to say, checking lamps and fluid levels are about as far as they should go.

These things make you a conscientious driver.

Keeping your own devices secure online makes you a conscientious netizen.

Anyone who is still using XP after end of life support is a danger to the rest of the internet as much as themseleves.

deadonthefloor said,

This takes me back to the driving analogy used in another post.
If you want to be on the highway there are some rules of the road.
Learning the rules and basic inspection. That is to say, checking lamps and fluid levels are about as far as they should go.

These things make you a conscientious driver.

Keeping your own devices secure online makes you a conscientious netizen.

Anyone who is still using XP after end of life support is a danger to the rest of the internet as much as themseleves.

you could say this about anything that a person does in public....

Sadelwo said,

You get to make an extra buck cleaning malware.

I dropped support for XP years ago. I ain't going anywhere near it for that.

When all these people move to windows 8 we will see a rise in infection rates because it will become more of a target and there will be many more clueless people using it.

exotoxic said,
When all these people move to windows 8 we will see a rise in infection rates because it will become more of a target and there will be many more clueless people using it.


No, there won't. It didn't happen to Vista, and it hasn't happened to 7. It won't happen to 8.

NeoandGeo said,
Thanks Firefox for helping people stay on XP for even longer with a false sense of security.

I think they are doing it more for the corporate users than anything. Just my 2 cents.

Spicoli said,
That was a really lame troll. Get a little more creative.
Didn't have much heart to it, but neither do people who still defend XP as a good OS choice.

MrHumpty said,
Didn't have much heart to it, but neither do people who still defend XP as a good OS choice.

But, but, it doesn't have draconian DRM, or restrictive file systems, and it's super fast on my 6GB, hexacore system!

/s

Well, if UAC ever pops up the very first thing people do is allow it. I recently cleaned up a fake AV that i'm pretty sure someone downloaded from a popup and ran. It was still in their download folder.

warwagon said,
Well, if UAC ever pops up the very first thing people do is allow it. I recently cleaned up a fake AV that i'm pretty sure someone downloaded from a popup and ran. It was still in their download folder.
Some people don't wear seat belts. Therefor we shouldn't have seat belts.

warwagon said,
Well, if UAC ever pops up the very first thing people do is allow it. I recently cleaned up a fake AV that i'm pretty sure someone downloaded from a popup and ran. It was still in their download folder.

If users want to be silly then they can - it's their choice. I've taught my family not to click blindy when the screen goes dark with the prompt and that alone has made a vast difference.

It's not about getting rid of UAC. It's about making UAC better so the user can make a more informed choice about what they are doing. The information provided now is not enough for the average user so they've just learned to hit Confirm/Allow to get to do what they want to do.

Davo said,
I agree. UAC needs to bluntly explain why it's prompting the user for a decision.

That's not so easy. I mean it want's admin privs but the binary may not contain a signature, or any useful version resource info to help UAC (it displays these things) more often than not.

Davo said,
I agree. UAC needs to bluntly explain why it's prompting the user for a decision.

How often do you expect them to read this information?

It is the same issue we have people when they install stuff. They just blindly click next then complain when the installation loads 3 more toolbars on the system when if they had taken their time they could of just opted out of the installation of said toolbars.

Davo said,
I agree. UAC needs to bluntly explain why it's prompting the user for a decision.

This is why I like the Windows Store and modern apps.
It bluntly explains, and whatever I'm installing has been vetted by MS already.

deadonthefloor said,

This is why I like the Windows Store and modern apps.
It bluntly explains, and whatever I'm installing has been vetted by MS already.

Which honestly Microsoft should've got started way back with the release of XP. A central program or website controlled and vetted by MS where you can submit your app to sell. Granted that was a little ahead of the whole everyone has an "app store" crap (looking at you uTorrent).

But wow that would've been nice. You can sell it on your site, or wherever else AND you can list it in the approved Microsoft store. Then Windows GP could be set to ONLY allow signed installs from it. Would've saved millions and millions of headaches over the past years.

UAC needs an update. By default it should already show the details of whatever is trying to run rather than clicking show details (most folks I know ignore that feature).

It asks to verify publisher's certificate, instead it should have a link to a database concerning the exe trying to run (how safe is it).

Spicoli said,
UAC is annoying but it actually does work.

UAC is my best friend. i used to be at my parents house every other week fixing something. i got them windows 7 and set them up on a limited account and created an admin account that i only know the password to. No more infections.

seta-san said,

UAC is my best friend. i used to be at my parents house every other week fixing something. i got them windows 7 and set them up on a limited account and created an admin account that i only know the password to. No more infections.

Honestly, you don't need a UAC to do that.

Izlude said,
UAC needs an update. By default it should already show the details of whatever is trying to run rather than clicking show details (most folks I know ignore that feature).

It asks to verify publisher's certificate, instead it should have a link to a database concerning the exe trying to run (how safe is it).

I believe Windows 8's SmartScreen takes care of that.

MrHumpty said,
Honestly, you don't need a UAC to do that.

It makes it far more liveable in that it provides an easy method of elevation that's otherwise missing from the OS - he has a point. Really you more or less *had* to run as admin on Windows prior to it's instigation - and without it developers would of insisted admin rights were necessary for day to day tasks..

DaveBG said,

Whatever man, all i say is that UAC will not save your ass.

It's not supposed to keep that secure

At least with UAC, technical users get to "see" what's being executed. If you visit a web page using Internet Explorer on a Windows XP machine and it starts trying to execute something as root and modify your system files, you'll never know it until it's too late. If the same code executes on Windows Vista or later and tries to modify system files, at least the techy people will know enough to actually realize they didn't try to run anything and hit "Cancel".