Microsoft Warns of Windows XP Malware Spike

By Pedro Hernandez  |  Posted 2013-11-05


Windows XP holdouts may soon face an explosion of malware that targets the unsupported operating system, cautions Microsoft.

The company is ending support for its enduring, 12-year-old desktop operating system on April 8, 2014. On that date, “Microsoft will no longer provide support for Windows XP users. This means that customers and partners will no longer receive security updates to the operating system or be able to leverage tech support from Microsoft after this time,” wrote Jeff Meisner, editor for The Official Microsoft Blog, in an April 2013 post that served as a reminder that users had a year to prepare for the XP support sunset.

Now, armed with historic data, the company is turning up the volume on the importance of migrating from Windows XP.

Tim Rains, director of Microsoft Trustworthy Computing, said in an Oct. 29 Microsoft on the Issues blog post that XP is living on borrowed time. “Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms,” he wrote.

Rains added that “inevitably there is a tipping point where dated software and hardware can no longer defend against modern-day threats and increasingly sophisticated cyber-criminals.” With Microsoft no longer expending resources to keep those threats at bay, hackers and malware coders will go gunning for XP, Rains said. And he has data that backs him up.

“In the two years after Windows XP Service Pack 2 went out of support, its malware infection rate was 66 percent higher than Windows XP Service Pack 3—the last supported version of Windows XP,” Rains said. XP, while still officially supported, already trails its successors in malware infection rates.

According to the company’s data, Windows XP, Vista 7 and 8 “all had roughly similar malware encounter rates—between 12 and 20 percent,” said Rains. “But Windows XP systems had an infection rate that was six times higher than Windows 8.”

When Microsoft drops support in five months, users and organizations still running the OS will face a very different online security landscape from that of the operating system’s inception.

Lone hackers “developing malicious software from their basements in the 1990s” are a thing of the past. Today cyber-criminals are sophisticated, “well-funded underground organizations,” said Rains. Often leveraging “large-scale malware automation,” they “are motivated by profit or seek to cause real financial or political harm.”

Further, Microsoft’s own efforts to harden its newer operating systems may give malware coders pointers on attacking Windows XP. Rains predicted that when his company releases “monthly security updates for supported versions of Windows, attackers will try and reverse-engineer them to identify any vulnerabilities that also exist in Windows XP.”

This echoes Rains’ warnings from this past summer. In an Aug. 16 blog post, he wrote, “Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a ‘zero-day’ vulnerability forever.”