All the latest UK technology news, reviews and analysis

Windows XP six times less secure than Windows 8, warns Microsoft

29 Oct 2013
Microsoft Windows XP screen

AMSTERDAM: Systems using Windows XP are six times more likely to fall victim to malware than those running Windows 8, according to Microsoft Trustworthy Computing (TwC) general manager, Mike Reavey.

Reavey said Microsoft spotted the trend while researching its latest The Risks of Running Unsupported Software threat report, during a keynote at the RSA Conference in Amsterdam.

"There are over one billion Windows machines online and we can use them to track malware," he said at the event.

"I'm pleased to say if you look at the infection rate on Windows systems you can see older versions are infected more than newer machines. Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate."

The comments are perhaps not surprising as Microsoft attempts to encourage customers to move to its new operating system. However, with less than six months until support for XP officially ends, the warnings are not without merit. So far, though, many users seem happy to stick with XP.

Despite this, Reavey cited Windows 8's lower infection rate as proof its Secure Development Lifecycle (SDL) practices are effective. SDL is a development process started by Microsoft in 2004. It is designed to improve new product security while reducing development costs.

"The downward rate is a sign of secure development practices," he said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."

The Microsoft manager urged other businesses to follow its example. "When securing a product you should ask, does your development team talk to your operations team and if they do what do they talk about? Is it something as prescriptive as threat modelling? It should be," he said.RSA 2013 Microsoft

He added, while successful, an SDL strategy on its own is not sufficient to ensure a product is secure. "Regardless of our efforts securing our products and services, I firmly believe as long as there are motivated people out there, if they really want to, they will find a way to infect it," he said.

The Microsoft chief highlighted the notorious Flame malware as proof no system can ever be designed to be 100 percent hacker proof from the start.

"For example, think back to Flame. I was part of the response team that dealt with this when it first emerged. When it first hit, the headlines were pretty inflammatory [...] but it was pretty advanced, and there were a couple of elements to it that are really important," he said.

"If you look at the elements of Flame used for the initial infection it's pretty important. It wasn't a zero-day [...] Flame only worked if it was inside the victim's network. That's because it pretended to be a web proxy to disturb the flow. The second thing is it exploited software issues in Microsoft. Flame looked at how our system did certificates and made it look like it came from Microsoft."

Flame was an espionage-focused malware uncovered targeting Iranian systems in 2012. It had several advanced features that led many security experts to list it as a game changer for the industry.

Reavey said to deal with emerging security issues, businesses should learn from threats like Flame and proactively work to improve their protection. "The lessons learned from Flame aren't unique to Microsoft," he said.

"I hope they haven't had to go through something like Flame, but you shouldn't ignore it and wait to do something. Crises happen, they happen to us, they happen to everyone. The important thing is for you to learn from them."

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Business Analyst – Fintech50

Business Analyst – Fintech50 Quant Capital is urgently...

Global Head of Retail Insurance - Digital

The Global Head of Digital will be responsible for leading...

QA Officer

QA OFFICER Contract - Up to £11 per hour Crewe...

Technical Support Engineer

Technical Support Engineer - Citrix / Appsense / SCCM...
To send to more than one email address, simply separate each address with a comma.