Infection rates and end of support for Windows XP

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Malware Infection and encounter rates

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

XP SP2 infection rates

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Average infection rates

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart

Comments (24)

  1. Anonymous says:

    If we compare windows and other operatng system like mac of apple, i found that by including all the set up requirement and other headache that we need to done to make any new projects/application, the windows is much more easy,user friendly as the technology or programming is done on java plateform. Whereas on OS like mac only the savy of mac who is expertise in his field is needed, And obtaining those spetialists are more costly. So, i want to suggest to everyone that the decision of upgradation to alternate OS must be taken by keeping in mind the cost optimization also.

  2. Anonymous says:


  3. @TairikuOkami Beyond a doubt UAC will do a great job .. But how did you make sure you don't have any piece of malware?

  4. Guitar Bob says:

    Why couldn't Microsoft incorporate new technologies (security and otherwise) as they become available into an existing operating system (like XP)  and not issue a completely new (and disruptive/expensive) operating system every few years?


  5. javid says:

    no comment

  6. javid says:

    thanks for your guidance

  7. coakl says:

    To improve your odds with XP:

    a. set your DNS server addresses to the ones used by Symantec Norton ConnectSafe.  It's free and it provides an additional layer of malware filtering of every web site you attempt to go to.

    b. use a limited user account in XP for your daily work and web browsing.  Run as an administrator only when needed to install software or updates.

    c. Use a web browser other than Internet Explorer.  I recommend Firefox, because I can use the NoScript extension with it.  I use it to easily block Javascript, Flash, Java, iframes, and other plug-ins unless I specifically allow it.

    d. Block ads, either with a custom HOSTS file or the AdBlock Plus extension in your web browser.  A lot of malware is infiltrated via hacked ads served by the advertising networks.

    e. Install Microsoft EMET to block common ways for malware trying to get in.  It basically allows XP to use some of the security technologies used by Vista and Win 7.

    f. Plugin Threat: Get rid of Java.  Uninstall it completely.

    g. Plugin Threat: Block Flash unless you need it.  This can be done through NoScript.  Firefox and Chrome also offer Click-To-Play, where a plugin only runs when you click on its placeholder.

    h. Plugin Threat: Get an alternate PDF viewer, other than Adobe PDF Reader…the ones built in to Chrome and Firefox work well.  Don't allow your web browser to open PDF documents using Adobe as the first choice.  

  8. Thanks for the share. Informative.

  9. Ancient says:

    Guitar Bob: Errrr….  because there's no profit in continually patching a product that everybody's already paid for?

  10. fred says:

    Why would u expect MS to continue to patch an out of date OS ? Are u still running WIN95, of course not. XP was a great leap from WIN 2K but WIN 8 is more stable AND more secure.

  11. Eddy Current says:

    I ABSOLUTELY discourage everybody to rely on antimalware software — it can't help against new and/or unknown malware.

    Fortunately Windows provides other effective and reliable means to prohibit unwanted software to run: SAFER alias software restriction policies. Cf. for example.

  12. tony b says:

    windows 8 does work well and much faster than operating systems of old.. but my opinion is that windows xp was very stable especially when compared to its predecessor windows vista which in my opinion was wasn't worth even looking at never mind installing as fas as sterility goes anyway..

    a lot of businesses still reliably run windows xp  and and will now be forced to jump to a newer operating system when like the comment above says if they would of added a more advanced firewall etc like in newer operating systems maybe as a sp4 then it would be fine an no need to get newer hardware to suit the newer operating systems

    but Microsoft charge money for licences so of course they want you to go and but a new operating systems its simply more money for them

  13. Don says:


    I'm still using DOS 6.22, Win 98 as well as XP. I have a program that only works on DOS that I've not seen a newer version that I wish to pay for as it's easier to keep 6.22, and it's not online. Just thought I'd let you know some older versions are still in use.

  14. CharlileMA says:


    f. Plugin Threat: Get rid of Java.  Uninstall it completely.

    Seriously? Many programs use this don't they..especially many sites.. ??

  15. AreJ says:

    Ancient & Guitar Bob:  What if users were willing to pay an "extended license" fee, like an extended warranty….??

  16. DJ says:

    I agree with the suggestion to get rid of Java.

    If you must have it, make sure that it is up-to-date and is regularly updated.

  17. disgusted with windows ANYTHING says:

    Screw Micorsoft…. time to opt out entirely and go Mac

  18. Rovinous Maximus Retunimus says:

    Hmmm, really, I guess you missed last weeks MVP broadcast, SharePoint 2014 will "use" jQuery, Developers from Silicon valley have sued for "collusion", OS X was created from Open Source, Darwin anyone, the reason Apple can release their software for free, is that you have to purchase a new Mac every three years! (Besides, don't loose your grip, the new Mac air uses Intel imbedded graphics (Boy, that kicks!) Poor SJ is rolling in his grave. I do like No Script, Abine, and many other tools O'd trade. Let's all run Kali Linux and penetrated the infidels! O.k. rant over,  {Unplug, Disconnect, Use a pencil, abacus, two cans and a string} they have us upstream! On the lighter side, I kind of like (maybe one of the few.) who appreciates Windows 8 (did fine without 8.1, yet have it.) Hyper-V rocks!

  19. Nunbeliver says:

    discusted with windows ANYTHING,

    Please check your spell check on your MAC, it misspelled Microsoft (r).

  20. Andy says:

    A bogus message from Microsoft Security said my computer was infected with a trogan and two viruses. I did not allow access,however I ran quick and full scans which did not  show any malware.

  21. Meitzi says:

    thanks coakl and Eddy Current, you did give both nice ideas. (I will test dns and software rescrition)

  22. Robert says:

    The only way to keep clean your computer is to Sanitize the HD and install the Windows. No firewall or windows updates can protect your computer from INTRUDERS. Many web sites dictate you to turn on Cookies, (to open the back door for them).  So do not keep anything in your computer. Use a TEMP folder and transfer anything you download, or create to a memory stick, or for sensitive things use a 16GB class 10 micro SD card. Frequently wipe out the hard drive with Dban Boot and Nuke. Three passes on a 250GB HD is completed in 3 hours. Make sure to put a fan under you computer because the cleaning is completed under the DOS, and computer overheats and shut down in the middle of the process. Before formatting the HD make sure there are no problems with the HD sectors. Run from Command COM CHKDSK then CHKDSK /F and after CHKDSK /R before formatting with Boot and Nuke. Finally reinstall windows, or the cloning of your HD with drivers and most important utility programs. I use two identical laptops with windows XP, can swap the HD and have the disk with factory program to rewrite the sectors of HD and Flash the BIOS. This 2 laptops are exposed in more insecure web sites where a can get most information from unsecured sites. With another laptop with windows 7 I take less risks and the other with windows 8 is used for skype, and fun.

  23. TairikuOkami says:

    To Guitar Bob – What are you talking about? Windows security has increased since Vista. I use a computer with no security software for years, no AV or firewall, and I have never got a single virus. I completely rely on Windows to protect me, that includes great UAC of course, it works as well as in Linux.

  24. 3FX says:

    The NHS could use Linux, save quite a lot of cash too.

Skip to main content