"...according to figures from Microsoft."
UK-based Windows XP users were six more likely to actually be infected than their counterparts who use more recent versions of Windows, according to figures from Microsoft. The company is likely trying to highlight the infection rates of the 12-year-old OS as a way to get customers to upgrade. It says that 9.1 of 1,000 XP (SP3 …
It's also likely that a fair number of companies still on XP have limited IT budgets to maintain their hardware & software. I mostly see XP in charities and organisations that buy in IT support and consultancy three or four times a year when something goes wrong, and whose IT security policy involves locking the front door when they leave for the day. I migrated a small NGO with around 12 computers from a mix of XP and Vista machines (and one Ubuntu box that noone could explain the existence of) to Windows 7 a couple of years ago, and they didn't even have a password on their WiFi (which explained the number of tourists sitting outside their very centrally placed office with their laptops).
Registered charities can get Windows dirt cheap from Microsoft. I've been looking into upgrading some server software for a charity I do some work for, as it happens we're going to move from Windows 2003 to CentOS Linux, but that is at least as much because the hardware is 32bit proliant, as it is any other reason.
...near me who can do MS Reseller Windows 7 Pro Licenses for not a great deal plus a decent dual core 2008 spec Dell Lattitude PC for about £70 to run it on.
I am constantly amazed by the number of small businesses that when I go visit to look at their IT setup, state they cant afford any new IT, too expensive, they only bought it all 2 years ago (read 6), scrimping and saving, worlds smallest violin etc.
Yet I walk past the big house, the M3 in the drive and the new leather sofa being delivered. Or they are an IFA!
If you cannot afford a few hundred quid for new IT from your business contingency budget then..well...what are you doing running a business?
Oh and quit running your business whilst owning only one laptop! Amazed how so many do not have a backup laptop or desktop system to run on.
Good for you Charles, great if you can wait for delivery or live next door to John Lewis. Great if you know how to setup a laptop and transfer 2GB of Outlook 2007 email or Outlook Express into the new world. Migrate Sage accounts or ACT to a new machine or a new OS.
A lot of folks don't.
But they dont think about it until it happens. And in my experience very few still use the cloud in the small business arena. in fact many have just discovered USB sticks.
It maybe 2013 in your tech warren but for the average person it's still 2005.
... is still nothing.
Not every XP instance has an internet connection. Some are used solely for dedicated purposes and wouldn't recoognise a connection if it snuck up and inserted itself firmly in their ethernet port.
For boxes (or virtual instances) like this, XP is still perfectly good. In fact, once you remove, or never install, all the malarky involved with keeping the O/S "safe": a euphemism for working around all the security bugs and bad design, it's storms along, incredibly fast.
Just don't plug anything into it.
Along those same lines, I wonder how much of that malware would be eliminated if they were running IE9 instead of IE6 or IE8?
And given the number of corporate web apps that require IE6, maybe MS should release a version of it that runs side by side with IE9 but is restricted to only approved domain connections which are set by group policy. Still a kludge, but maybe a better kludge than what they have.
And along the same lines how many times did user's decide to proceed to a site IE flagged as a known source of malware...
This is the real problem with these FUD reports, their real purpose is to encourage sales of Win8 etc. rather than seriously look at the security issue.
From my experience, I suspect that whilst removable media is still an issue, the major threat vector is internet access, which in the main is controlled by a user's browser and their firewall... So the question is whether a pure MS XP system is less secure than one running third-party: firewall, security suite and browser?
Other than Vista x64, the UAC systems are pretty comparable. The high figure for XP can probably be attributed to the default login-as-administrator setup.
As for W8, the RT ghetto is immune to any malware that is an x86 executable - hardly a ringing endorsement, as it is also immune to the use of typical PC applications.
Other major causes of XP infection:
Pirate copies which refuse to operate Windows Update and don't get the holes patched (fixed by MS product activation in later releases)
Product delivered with time-limited copies of Norton Security etc (fixed by MS Security Essentials with increasing effectiveness - now baked-in on Windows 8)
The figures for Vista, which has the same underlying improved security system found in Windows 7 and Windows 8, are nearly as bad as those for XP. Now, obviously the chart is supposed to be telling users that the more modern versions of Windows are inherently safer but it can also be read as, the longer an OS is out there the riskier it is and that infection rates like those of XP are only a matter of time for Windows 8.
Hoist by their own petard some might say.
Microsoft often employed the defence that XP was so much more prevalent and therefore was more targeted as the reason why it had so much more malware than its competitors, not that it was more insecure. However they are now saying that XP is really insecure as a reason to migrate away. They can't now use the defence that more users on Win7 or more likely Win8 is safer, because surely that would make Win7 & Win8 so much more targeted?
There's no amnesia more acute than PR
Except that each new version of Windows has included more security features than the previous one.
DEP, memory randomisation etc. came with Vista and 7, UAC came with Vista etc.
Compared to the newer versions XP is less secure. Go back to when XP was the current OS, it was more secure (after SP2) than Windows 2000 or 9x, because they had worked hard on security.
Security is a moving goal. By the time Windows 10 is around, it will have better built-in security than Windows 7 and 7 will look like the proverbial sieve. It just helps the PR people get their point across.
The same goes for Linux, look at the Kernel logs to see how many flaws are patched with each new release. If you compare a Linux box from the time of XP's release to a current one, you'll find a lot of open flaws that make the box easily exploitable, which have been patched over the years and the new box will be more secure "out of the box".
This post has been deleted by its author
This post has been deleted by its author
>That's because anyone running XP 64-bit has to be a freaking wizard to get any drivers to work with it!
[Casts furtive glances both ways] Yes, yes, I is a wizard. [More shifty staring]
PS: Don't tell anyone that 99.5% of computer security is knowing where to get your porn - at least for us wizards.
XP doesn't implement any of the stuff that was part of Microsoft's Trustworthy Computing initiative - UAC, privilege escalation, IP filtering, anti-phishing, address space randomization, driver signing, secure boot etc.
It would mean that somebody using Windows Vista or later has greater security by default than somebody on XP. Especially since the person on XP is probably running as local administrator all of the time because installers and suchlike don't work unless they do.
The biggest security threat still remains - the user. Malware could still convince someone to click and run a program regardless of what security measures the OS implements. e.g. someone I was speaking to recently was almost scared into clicking on a popup which warned their computer was being monitored for illegal activity. If they had clicked (and I assume a lot of people do) undoubtedly it would initiated some kind of malware / ransomware attack.
"It would mean that somebody using Windows Vista or later has greater security by default than somebody on XP. Especially since the person on XP is probably running as local administrator all of the time because installers and suchlike don't work unless they do."
Xym, did you actually look at the charts ?
64bit Vista has comparable rates of infection to 32bit XP... I'd love to know why that is the case. :)
You're comparing 64-bit Vista to 32-bit XP.
I don't know the reason. Maybe there was a security hole in their Windows on Windows (WOW) layer - the thing that thunks 32-bit software onto the 64-bit OS. e.g. address space randomization or something. Or maybe Vista 64 users were more inclined to disable UAC and run with admin privileges for some reason.
Whatever it was, it doesn't appear to have affected subsequent releases.
I have a new customer with a few Windows 7 PCs in a small office.
I set the users up as non-admins.
On my last visit, I found someone had switched off UAC on most of the PCs (which I switched back on).
The customer has been installing some apps themselves, so proably PEBCAK as per usual.
Running with admin rights is the main culprit I suggest, especially if UAC switched off.
Exactly. I also wonder how many people on here let their kids use a full admin rights computer at home. And rely on a system heavy anti-virus to guard against any threat.
In general though, people should stop going to dodgy web sites, and stop downloading hacked software! Take the view that they ALL have malicious code in them somewhere. Oh and stop putting your email address on competition sites, you're not going to win that iPad, you're going to win advertisement emails from all over the world, and crap knows what else.
wild theory: running 64-bit VIsta in 2013 is a sign of ignorance.
Back in the day Vista 64-bit was unpopular due to the lack of drivers and it was mostly used by early adopters. The latter have now moved on to 8.1, and I think that may mean that the remaining 64-bit Vista installations are purchases by clueless friends and family on the advice of early adopter "computer enthusiasts". Early adopters also had a penchant for disabling UAC because it got in the way of installing shareware downloaded from random internet sites.
I suspect that this is the same AC who always says this, but when challenged provides references to statistics on Web defacements.
There are vulnerabilities in Linux. Many are discovered and posted as a result of code examination (when people started looking for memcpy calls on unbounded buffers a few years back, there was a huge jump in the number of vulnerabilities reported against Linux, even though many of them were unlikely to be exploitable. We just don't know how many of these are present in Windows.
But as a basic desktop box, the protection that UAC provides on Windows Vista+ has pretty much always been there on Linux since it became popular. And as a result it is axiomatic that Linux is more secure for day-to-day use. And out-of-the-box, Linux is much safer to connect to the Internet because fewer services are turned on by default. This is something Microsoft have taken on board in recent Windows releases.
Of course, there are still exploits that take advantage of the wetware, but they will be present on any OS unless it is so locked down that the users cannot do anything.
Apples and oranges, son. And you know it. Hint: look up how many actual, live, major malware incidents have been on Mac OS X or Linux _ever_ and compare to the number running _right now_ on various versions of Windows. Or, indeed, just those running on XP.
But don't let the real world stop your shilling for Ballmer.
If Microsoft are saying this now, as XP SP3 is still supposed to be supported, what does that say about the quality of Microsoft's support? If this was after the cut off, I might understand it, but saying this now indicates that Microsoft aren't doing their job by a system that is supposed to still be supported, and implies that they are either deliberately running the system down or are totally incompetant, both reasons leading to severe doubts about the future of more recent systems.
If, however, they are merely scraping figures off the ground in Usenet fashion to frighten people to move, then there is only one word to describe them. Despicable.
"How much protection can a decent anti-virus tool give against the vulnerabilities that a lack of support might open up?"
None worth having (IMO) because *most* AV tools use signatures of Virii to detect them. Those signatures can't be generated until the virus is written and a machine (possibly yours) has been infected with it. In essence the protection you have from AV tools is always behind the curve.
With respect to software developers supporting their code, in my experience the overwhelming majority of them don't pro-actively hunt down vulnerabilities, so even if the software is supported you are still more likely to run into the vulnerability than the developer.
Where software developers do pro-actively hunt for vulnerabilities they may or may not be competent. With closed source you have very little data available to you by which you can assess the efficacy of their vulnerability squashing efforts.
A little while ago I found a trivial DOS exploit in a vendor's client libraries by simply copying their example code and increasing the number of loop iterations. That particular vulnerability cost 6 months of lost production despite having (VERY expensive) vendor support for a very expensive mature product. There were some warning signs - in that vendor's case the majority of their patches seem to derive from vulnerabilities discovered by third parties.
The serious Open Source projects do pro-actively review their code, and publish + fix the vulnerabilities as they find them, and you have the capability of verifying whether they are doing a decent job or not. Plus you can always look at the code yourself - and possibly even backport patches if you really can't upgrade.
All those lapsed copies of McAfee and Norton that folks haven't paid for or upgraded since they bought the laptop/PC 4 years ago.
"Well yes I think it has anti-virus!"
I love the fact that shop bought Windows 8 machines still have useless trial installs of McAfee on them which knocks out the perfectly good Windows Defender.
Still not helping guys!
1) Win8 sales in the dumper (at least, not near expectations), 'cuz Win 8 sux0rz. ... check!
2) No one...and I mean <i.no one</i> is updating Win XP (reason: see 1 above) ... check!
3) Stock price slipping, in spite of showing Ballmer the door ... double check!!
Fire up the vaunted Microsoft FUD MachineTM in a desperate attempt to reverse 1, 2, and 3 above ... checkmate!
Microsoft dug themselves into an operating system hole, first with the slow and annoying Vista. Then, while at it, they changed device driver models, something that happens almost every other Microsoft OS release. What happens? OOOPS! Lots of printers and scanners and graphics cards and audio cards and other more specialized hardware no longer work with the bright and shiny but blighted Vista. Windows 7 really ought to have been the free upgrade to Vista, but, yes, it uses almost the same device driver model, so your older but perfectly functioning hardware won't work with it either. Then Microsoft begat Windows 8, the demon spawn of Windows and the iPad. We all know how that is turning out, rejection of Windows 8 by large enterprises plus cries of anguish by consumers given no choice to buy in the stores except Windows 8. (People will race to the free Windows 8.1, because they really have no choice if stuck with Windows 8.)
Oh, yeah, and did I mention that many large companies (like banks) and enterprises (like govts and hospitals) have designed and developed for their own use proprietary applications that run on XP? And sometimes, with VERY special hardware? Now they have to "migrate" these applications to some bright new Microsoft OS. But migration is not a simple thing like birds flying south in the autumn. It is re-engineering the applications to run in a much-changed world of Windows 7 or Windows 8 Application Programming Interfaces (API). Some of Microsoft's API changes are for the good, as they make the software world more secure and more reliable. Others fix serious design errors made by Microsoft in earlier software, e.g. the hugely mistaken tight integration of Internet Explorer into XP, opening a huge hole for operating system contamination. So migration of software to the brave new world of Windows 7-or-8 is both very costly and extremely time-consuming. Yeah, I know you can run XP apps in an XP virtual machine under Windows 7. Well, SOME apps, like regular everyday commodity software you buy in the store. But proprietary software developed in-house? I'll believe it when I see it.
So now they want to use the tactic honed by long-time IBM partner: Fear, Uncertainty and Doubt, or FUD. Scare the hell out of everyone still using XP. They will scare a lot of people to Windows 7-or-8, and hardware vendors like Dell, Lenovo, HPaq and Acer-eGateMachines will smile as they sell a lot of systems to replace the ones that run Windows 7-or-8 very poorly. Nevertheless, come April 2014, millions of people will still run XP, probably with Firefox or Chrome and with any anti-virus package except MIcrosoft Security Essentials.
Upgrade? That's when you find out your older, not ancient hardware can't run Win8. Time to get a new computer, which comes with Win preloaded. Cheap Dell for me.
It's easier anyway, and seems like upgrades always bring up all manner of cryptic (utterly baffling) messages that I'm happier to never see. Can't imagine why Microsoft never seems able to make things clear.
A new processor always means a big jump in performance, however satisfactory your old computer was before Microsoft obsoleted it. And doesn't your old hard drive really have too many miles on it? New box fixes this too. Just network old and new computers and copy files across. Software apps have to be reloaded, but again, wasn't it time for that anyway, and maybe some changes, now that you have to do it anyway?