back to article Win XP? Your PLAGUE risk is SIX times that of Win 8 - NOW

UK-based Windows XP users were six more likely to actually be infected than their counterparts who use more recent versions of Windows, according to figures from Microsoft. The company is likely trying to highlight the infection rates of the 12-year-old OS as a way to get customers to upgrade. It says that 9.1 of 1,000 XP (SP3 …


This topic is closed for new posts.
  1. adnim

    "...according to figures from Microsoft."

    Enough said!

  2. Anonymous Coward
    Anonymous Coward

    So the main point they seem to be trying to make is that a PC that's been switched on an connected to/used on the internet for a much,much longer time is much, much more likely to have a problem. Go figure.

    1. cyclical

      It's also likely that a fair number of companies still on XP have limited IT budgets to maintain their hardware & software. I mostly see XP in charities and organisations that buy in IT support and consultancy three or four times a year when something goes wrong, and whose IT security policy involves locking the front door when they leave for the day. I migrated a small NGO with around 12 computers from a mix of XP and Vista machines (and one Ubuntu box that noone could explain the existence of) to Windows 7 a couple of years ago, and they didn't even have a password on their WiFi (which explained the number of tourists sitting outside their very centrally placed office with their laptops).

      1. Anonymous Coward
        Anonymous Coward

        Registered charities can get Windows dirt cheap from Microsoft. I've been looking into upgrading some server software for a charity I do some work for, as it happens we're going to move from Windows 2003 to CentOS Linux, but that is at least as much because the hardware is 32bit proliant, as it is any other reason.

        1. jason 7

          I know a MS Reseller.....

          ...near me who can do MS Reseller Windows 7 Pro Licenses for not a great deal plus a decent dual core 2008 spec Dell Lattitude PC for about £70 to run it on.

          I am constantly amazed by the number of small businesses that when I go visit to look at their IT setup, state they cant afford any new IT, too expensive, they only bought it all 2 years ago (read 6), scrimping and saving, worlds smallest violin etc.

          Yet I walk past the big house, the M3 in the drive and the new leather sofa being delivered. Or they are an IFA!

          If you cannot afford a few hundred quid for new IT from your business contingency budget then..well...what are you doing running a business?

          Oh and quit running your business whilst owning only one laptop! Amazed how so many do not have a backup laptop or desktop system to run on.

          1. Charles Manning

            Why do I need a backup laptop?

            If my laptop dies, I just buy another one, hook up to Dropbox etc, and I'm going again in a few hours.

            Well that's the perfectly rational thinking of most people anyway. I personally have three, but that's because I have different sw running on them.

            1. jason 7

              Re: Why do I need a backup laptop?

              Good for you Charles, great if you can wait for delivery or live next door to John Lewis. Great if you know how to setup a laptop and transfer 2GB of Outlook 2007 email or Outlook Express into the new world. Migrate Sage accounts or ACT to a new machine or a new OS.

              A lot of folks don't.

              But they dont think about it until it happens. And in my experience very few still use the cloud in the small business arena. in fact many have just discovered USB sticks.

              It maybe 2013 in your tech warren but for the average person it's still 2005.

      2. Primus Secundus Tertius Silver badge

        The other day I saw a large British bank still running XP. Yes, the manager told me, they tried Vista but that wasn't so good, and they tried 7 but for some reason copped out.

        1. streaky

          I've seen banks recently running 2k so yeah. There's also a major optician's chain that runs XP on their store customer db access systems with what looks remarkably like an old MS access app.

  3. Pete 2 Silver badge

    One-sixth of nothing

    ... is still nothing.

    Not every XP instance has an internet connection. Some are used solely for dedicated purposes and wouldn't recoognise a connection if it snuck up and inserted itself firmly in their ethernet port.

    For boxes (or virtual instances) like this, XP is still perfectly good. In fact, once you remove, or never install, all the malarky involved with keeping the O/S "safe": a euphemism for working around all the security bugs and bad design, it's storms along, incredibly fast.

    Just don't plug anything into it.

    1. mrfill

      Re: One-sixth of nothing

      If you can't plug anything in it does rather limit things. Ideal though for the user experienced in Battleships and Solitaire.

      1. William 3 Bronze badge

        Re: One-sixth of nothing

        I can still create invoices. I can still use a spreadsheet. I can still create powerpoint presentations.

        Pretty much the essential of running a business.

        And dare I say it, probably makes your staff more productive as well, no faffing around on Facebook.

  4. Ebaneezer Wanktrollop

    So how much more did it cost to research this report than releasing the already created patches for XP SP3?

    1. Tom 13

      @ Ebaneezer Wanktrollop

      Along those same lines, I wonder how much of that malware would be eliminated if they were running IE9 instead of IE6 or IE8?

      And given the number of corporate web apps that require IE6, maybe MS should release a version of it that runs side by side with IE9 but is restricted to only approved domain connections which are set by group policy. Still a kludge, but maybe a better kludge than what they have.

      1. Roland6 Silver badge

        Re: @ Ebaneezer Wanktrollop

        And along the same lines how many times did user's decide to proceed to a site IE flagged as a known source of malware...

        This is the real problem with these FUD reports, their real purpose is to encourage sales of Win8 etc. rather than seriously look at the security issue.

        From my experience, I suspect that whilst removable media is still an issue, the major threat vector is internet access, which in the main is controlled by a user's browser and their firewall... So the question is whether a pure MS XP system is less secure than one running third-party: firewall, security suite and browser?

    2. No Quarter

      Ebaneezer Wanktrollop

      I like your name. I will stalk you.

  5. Anonymous Coward
    Anonymous Coward

    Win XP Box?

    Yes, I'd like to. I thought it would be a competition

  6. Anonymous Coward
    Anonymous Coward

    meaningless stats

    Other than Vista x64, the UAC systems are pretty comparable. The high figure for XP can probably be attributed to the default login-as-administrator setup.

    As for W8, the RT ghetto is immune to any malware that is an x86 executable - hardly a ringing endorsement, as it is also immune to the use of typical PC applications.

    1. CreosoteChris

      Re: meaningless stats

      Other major causes of XP infection:

      Pirate copies which refuse to operate Windows Update and don't get the holes patched (fixed by MS product activation in later releases)

      Product delivered with time-limited copies of Norton Security etc (fixed by MS Security Essentials with increasing effectiveness - now baked-in on Windows 8)

  7. Charlie Clark Silver badge


    The figures for Vista, which has the same underlying improved security system found in Windows 7 and Windows 8, are nearly as bad as those for XP. Now, obviously the chart is supposed to be telling users that the more modern versions of Windows are inherently safer but it can also be read as, the longer an OS is out there the riskier it is and that infection rates like those of XP are only a matter of time for Windows 8.

  8. Anonymous Coward
    Anonymous Coward

    Executive summary

    Microsoft to XP users: Pay your tithes, biatches.

  9. Ralph B

    Are we confusing cause and effect?

    Nobody (much) - including the virus developers community - is developing for W8 because nobody (much) is using it. You don't target an audience which is not there.

    1. Don Dumb

      Re: Are we confusing cause and effect?

      Hoist by their own petard some might say.

      Microsoft often employed the defence that XP was so much more prevalent and therefore was more targeted as the reason why it had so much more malware than its competitors, not that it was more insecure. However they are now saying that XP is really insecure as a reason to migrate away. They can't now use the defence that more users on Win7 or more likely Win8 is safer, because surely that would make Win7 & Win8 so much more targeted?

      There's no amnesia more acute than PR

      1. big_D Silver badge

        Re: Are we confusing cause and effect?

        Except that each new version of Windows has included more security features than the previous one.

        DEP, memory randomisation etc. came with Vista and 7, UAC came with Vista etc.

        Compared to the newer versions XP is less secure. Go back to when XP was the current OS, it was more secure (after SP2) than Windows 2000 or 9x, because they had worked hard on security.

        Security is a moving goal. By the time Windows 10 is around, it will have better built-in security than Windows 7 and 7 will look like the proverbial sieve. It just helps the PR people get their point across.

        The same goes for Linux, look at the Kernel logs to see how many flaws are patched with each new release. If you compare a Linux box from the time of XP's release to a current one, you'll find a lot of open flaws that make the box easily exploitable, which have been patched over the years and the new box will be more secure "out of the box".

        1. jason 7

          Re: Are we confusing cause and effect?

          Very obvious indeed but a amazed how many choose to ignore it.

        2. This post has been deleted by its author

  10. Admiral Grace Hopper

    I'm upgrading a lot of WinXP boxes for friends and family at the moment

    Mostly to Ubuntu, but to Mint for the ones who want it.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

      me too, mainly to Mageia/PCLinux, with VirtualBox of XP for any legacy apps that are still absolutely needed.

    2. TheVogon

      Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

      I can see that working well when they want to play Battlefield 4.....

      1. Rabbit80

        Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

        I'm sure there are lots of XP boxes out there that can play Battlefield 4! /S

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

        "I can see that working well when they want to play Battlefield 4....."

        I can see that not making a difference since Battlefield 4 requires DX10.....

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

          Since when has Linux had DX10?

          1. Goat Jam

            Re: I'm upgrading a lot of WinXP boxes for friends and family at the moment

            "Since when has Linux had DX10?"

            Linux has exactly the same DX10 support that XP does.

  11. Gordan

    Is that...

    XP 64-bit at 0 on the chart? That's pretty secure.

    1. Crisp

      Re: Is that...

      That's because anyone running XP 64-bit has to be a freaking wizard to get any drivers to work with it!

      1. This post has been deleted by its author

      2. oolor

        Re: wizardry

        >That's because anyone running XP 64-bit has to be a freaking wizard to get any drivers to work with it!

        [Casts furtive glances both ways] Yes, yes, I is a wizard. [More shifty staring]

        PS: Don't tell anyone that 99.5% of computer security is knowing where to get your porn - at least for us wizards.

  12. DrXym Silver badge

    Hardly surprising

    XP doesn't implement any of the stuff that was part of Microsoft's Trustworthy Computing initiative - UAC, privilege escalation, IP filtering, anti-phishing, address space randomization, driver signing, secure boot etc.

    It would mean that somebody using Windows Vista or later has greater security by default than somebody on XP. Especially since the person on XP is probably running as local administrator all of the time because installers and suchlike don't work unless they do.

    The biggest security threat still remains - the user. Malware could still convince someone to click and run a program regardless of what security measures the OS implements. e.g. someone I was speaking to recently was almost scared into clicking on a popup which warned their computer was being monitored for illegal activity. If they had clicked (and I assume a lot of people do) undoubtedly it would initiated some kind of malware / ransomware attack.

    1. Roo

      Re: Hardly surprising

      "It would mean that somebody using Windows Vista or later has greater security by default than somebody on XP. Especially since the person on XP is probably running as local administrator all of the time because installers and suchlike don't work unless they do."

      Xym, did you actually look at the charts ?

      64bit Vista has comparable rates of infection to 32bit XP... I'd love to know why that is the case. :)

      1. DrXym Silver badge

        Re: Hardly surprising

        You're comparing 64-bit Vista to 32-bit XP.

        I don't know the reason. Maybe there was a security hole in their Windows on Windows (WOW) layer - the thing that thunks 32-bit software onto the 64-bit OS. e.g. address space randomization or something. Or maybe Vista 64 users were more inclined to disable UAC and run with admin privileges for some reason.

        Whatever it was, it doesn't appear to have affected subsequent releases.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hardly surprising

          I have a new customer with a few Windows 7 PCs in a small office.

          I set the users up as non-admins.

          On my last visit, I found someone had switched off UAC on most of the PCs (which I switched back on).

          The customer has been installing some apps themselves, so proably PEBCAK as per usual.

          Running with admin rights is the main culprit I suggest, especially if UAC switched off.

          1. Zot

            Re: Hardly surprising

            Exactly. I also wonder how many people on here let their kids use a full admin rights computer at home. And rely on a system heavy anti-virus to guard against any threat.

            In general though, people should stop going to dodgy web sites, and stop downloading hacked software! Take the view that they ALL have malicious code in them somewhere. Oh and stop putting your email address on competition sites, you're not going to win that iPad, you're going to win advertisement emails from all over the world, and crap knows what else.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hardly surprising

        wild theory: running 64-bit VIsta in 2013 is a sign of ignorance.

        Back in the day Vista 64-bit was unpopular due to the lack of drivers and it was mostly used by early adopters. The latter have now moved on to 8.1, and I think that may mean that the remaining 64-bit Vista installations are purchases by clueless friends and family on the advice of early adopter "computer enthusiasts". Early adopters also had a penchant for disabling UAC because it got in the way of installing shareware downloaded from random internet sites.

        1. Roo

          Re: Hardly surprising

          "wild theory: running 64-bit VIsta in 2013 is a sign of ignorance."

          That's pretty much the guess I arrived at in the end, although I think I would have used the word negligence - but the net effect is the same. :)

  13. Nathan 13

    That graph suggests

    Windows is very insecure!!

    1. Anonymous Coward
      Anonymous Coward

      Re: That graph suggests

      "Windows is very insecure!!"

      Actually even XP has had far fewer vulnerabilities than say OS-X or an Enterprise Linux distribution....

      1. Peter Gathercole Silver badge

        Re: That graph suggests @AC 12:38

        I suspect that this is the same AC who always says this, but when challenged provides references to statistics on Web defacements.

        There are vulnerabilities in Linux. Many are discovered and posted as a result of code examination (when people started looking for memcpy calls on unbounded buffers a few years back, there was a huge jump in the number of vulnerabilities reported against Linux, even though many of them were unlikely to be exploitable. We just don't know how many of these are present in Windows.

        But as a basic desktop box, the protection that UAC provides on Windows Vista+ has pretty much always been there on Linux since it became popular. And as a result it is axiomatic that Linux is more secure for day-to-day use. And out-of-the-box, Linux is much safer to connect to the Internet because fewer services are turned on by default. This is something Microsoft have taken on board in recent Windows releases.

        Of course, there are still exploits that take advantage of the wetware, but they will be present on any OS unless it is so locked down that the users cannot do anything.

      2. Chemist

        Re: That graph suggests

        "Actually even XP has had far fewer vulnerabilities than say OS-X or an Enterprise Linux distribution...."

        You have mentioned this before (MANY times) - you were trying to be misleading then and are so now

        1. James O'Shea Silver badge

          Re: That graph suggests

          He was flat-out lying then and he is now.

          1. Anonymous Coward
            Anonymous Coward

            Re: That graph suggests


            XP has about 600 vulnerabilities, OS-X over 2,000 and Suse 10 about 3,800......

            1. James O'Shea Silver badge

              Re: That graph suggests

              Apples and oranges, son. And you know it. Hint: look up how many actual, live, major malware incidents have been on Mac OS X or Linux _ever_ and compare to the number running _right now_ on various versions of Windows. Or, indeed, just those running on XP.

              But don't let the real world stop your shilling for Ballmer.

  14. Elmer Phud

    Sounds about right

    The numbers of XP boxes that have been passed on to older and younger family members or a relative must be huge.

    I've dealt with some that have had crap on them before being 'donated' - and once in the hands of a novice the toolbars and pop-ups just increase.

  15. Michael Habel

    Why do all the x86-64 versions sans WinH8 (Vista & 7), have a higher "Threat Level" then their 32.Bit Brothers?

  16. Chika


    If Microsoft are saying this now, as XP SP3 is still supposed to be supported, what does that say about the quality of Microsoft's support? If this was after the cut off, I might understand it, but saying this now indicates that Microsoft aren't doing their job by a system that is supposed to still be supported, and implies that they are either deliberately running the system down or are totally incompetant, both reasons leading to severe doubts about the future of more recent systems.

    If, however, they are merely scraping figures off the ground in Usenet fashion to frighten people to move, then there is only one word to describe them. Despicable.

  17. Anonymous Coward
    Anonymous Coward


    I thought Windows 8 WAS the pox?!

  18. J.G.Harston Silver badge

    Maths fail.

    9.1 PER 1000 XP boxes, not 9.1 OF 1000 boxes. You can't have a fractional number of whole objects.

    1. Crisp

      Re: Maths fail.

      Well done. Have .1 of a cake.

  19. Nial

    How much protection can a decent anti-virus tool give against the vulnerabilities that a lack of support might open up?

    1. Roo


      "How much protection can a decent anti-virus tool give against the vulnerabilities that a lack of support might open up?"

      None worth having (IMO) because *most* AV tools use signatures of Virii to detect them. Those signatures can't be generated until the virus is written and a machine (possibly yours) has been infected with it. In essence the protection you have from AV tools is always behind the curve.

      With respect to software developers supporting their code, in my experience the overwhelming majority of them don't pro-actively hunt down vulnerabilities, so even if the software is supported you are still more likely to run into the vulnerability than the developer.

      Where software developers do pro-actively hunt for vulnerabilities they may or may not be competent. With closed source you have very little data available to you by which you can assess the efficacy of their vulnerability squashing efforts.

      A little while ago I found a trivial DOS exploit in a vendor's client libraries by simply copying their example code and increasing the number of loop iterations. That particular vulnerability cost 6 months of lost production despite having (VERY expensive) vendor support for a very expensive mature product. There were some warning signs - in that vendor's case the majority of their patches seem to derive from vulnerabilities discovered by third parties.

      The serious Open Source projects do pro-actively review their code, and publish + fix the vulnerabilities as they find them, and you have the capability of verifying whether they are doing a decent job or not. Plus you can always look at the code yourself - and possibly even backport patches if you really can't upgrade.


  20. jason 7

    The biggest problem?

    All those lapsed copies of McAfee and Norton that folks haven't paid for or upgraded since they bought the laptop/PC 4 years ago.

    "Well yes I think it has anti-virus!"

    I love the fact that shop bought Windows 8 machines still have useless trial installs of McAfee on them which knocks out the perfectly good Windows Defender.

    Still not helping guys!

  21. Demogenes

    Could it be 6 times as likely because there are 6 times as many xp users as windows 8 users? :))

  22. Someone Else Silver badge

    So, let's see here...

    1) Win8 sales in the dumper (at least, not near expectations), 'cuz Win 8 sux0rz. ... check!

    2) No one...and I mean < one</i> is updating Win XP (reason: see 1 above) ... check!

    3) Stock price slipping, in spite of showing Ballmer the door ... double check!!


    Fire up the vaunted Microsoft FUD MachineTM in a desperate attempt to reverse 1, 2, and 3 above ... checkmate!

  23. The Godfather

    Jingle bells.....

    Am I going to fall for this bullshit?

  24. N2

    Report authors

    Are they the same ones who wrote

    "inkjet printers cost more to run than laserjets"?

  25. ben_myers

    Self-serving, perhaps? Just a little bit.

    Microsoft dug themselves into an operating system hole, first with the slow and annoying Vista. Then, while at it, they changed device driver models, something that happens almost every other Microsoft OS release. What happens? OOOPS! Lots of printers and scanners and graphics cards and audio cards and other more specialized hardware no longer work with the bright and shiny but blighted Vista. Windows 7 really ought to have been the free upgrade to Vista, but, yes, it uses almost the same device driver model, so your older but perfectly functioning hardware won't work with it either. Then Microsoft begat Windows 8, the demon spawn of Windows and the iPad. We all know how that is turning out, rejection of Windows 8 by large enterprises plus cries of anguish by consumers given no choice to buy in the stores except Windows 8. (People will race to the free Windows 8.1, because they really have no choice if stuck with Windows 8.)

    Oh, yeah, and did I mention that many large companies (like banks) and enterprises (like govts and hospitals) have designed and developed for their own use proprietary applications that run on XP? And sometimes, with VERY special hardware? Now they have to "migrate" these applications to some bright new Microsoft OS. But migration is not a simple thing like birds flying south in the autumn. It is re-engineering the applications to run in a much-changed world of Windows 7 or Windows 8 Application Programming Interfaces (API). Some of Microsoft's API changes are for the good, as they make the software world more secure and more reliable. Others fix serious design errors made by Microsoft in earlier software, e.g. the hugely mistaken tight integration of Internet Explorer into XP, opening a huge hole for operating system contamination. So migration of software to the brave new world of Windows 7-or-8 is both very costly and extremely time-consuming. Yeah, I know you can run XP apps in an XP virtual machine under Windows 7. Well, SOME apps, like regular everyday commodity software you buy in the store. But proprietary software developed in-house? I'll believe it when I see it.

    So now they want to use the tactic honed by long-time IBM partner: Fear, Uncertainty and Doubt, or FUD. Scare the hell out of everyone still using XP. They will scare a lot of people to Windows 7-or-8, and hardware vendors like Dell, Lenovo, HPaq and Acer-eGateMachines will smile as they sell a lot of systems to replace the ones that run Windows 7-or-8 very poorly. Nevertheless, come April 2014, millions of people will still run XP, probably with Firefox or Chrome and with any anti-virus package except MIcrosoft Security Essentials.

  26. toddf

    Upgrade? That's when you find out your older, not ancient hardware can't run Win8. Time to get a new computer, which comes with Win preloaded. Cheap Dell for me.

    It's easier anyway, and seems like upgrades always bring up all manner of cryptic (utterly baffling) messages that I'm happier to never see. Can't imagine why Microsoft never seems able to make things clear.

    A new processor always means a big jump in performance, however satisfactory your old computer was before Microsoft obsoleted it. And doesn't your old hard drive really have too many miles on it? New box fixes this too. Just network old and new computers and copy files across. Software apps have to be reloaded, but again, wasn't it time for that anyway, and maybe some changes, now that you have to do it anyway?

This topic is closed for new posts.

Other stories you might like