AMSTERDAM: Systems using Windows XP are six times more likely to fall victim to malware than those running Windows 8, according to Microsoft Trustworthy Computing (TwC) general manager, Mike Reavey.
Reavey said Microsoft spotted the trend while researching its latest The Risks of Running Unsupported Software threat report, during a keynote at the RSA Conference in Amsterdam.
"There are over one billion Windows machines online and we can use them to track malware," he said at the event.
"I'm pleased to say if you look at the infection rate on Windows systems you can see older versions are infected more than newer machines. Windows XP is six times more likely to be infected than Windows 8, even though it has the same malware encounter rate."
The comments are perhaps not surprising as Microsoft attempts to encourage customers to move to its new operating system. However, with less than six months until support for XP officially ends, the warnings are not without merit. So far, though, many users seem happy to stick with XP.
Despite this, Reavey cited Windows 8's lower infection rate as proof its Secure Development Lifecycle (SDL) practices are effective. SDL is a development process started by Microsoft in 2004. It is designed to improve new product security while reducing development costs.
"The downward rate is a sign of secure development practices," he said. "In pretty much every service in Microsoft we have people devoted purely on security, focused on what's going on in the marketplace and what's needed to secure it."
The Microsoft manager urged other businesses to follow its example. "When securing a product you should ask, does your development team talk to your operations team and if they do what do they talk about? Is it something as prescriptive as threat modelling? It should be," he said.
He added, while successful, an SDL strategy on its own is not sufficient to ensure a product is secure. "Regardless of our efforts securing our products and services, I firmly believe as long as there are motivated people out there, if they really want to, they will find a way to infect it," he said.
The Microsoft chief highlighted the notorious Flame malware as proof no system can ever be designed to be 100 percent hacker proof from the start.
"For example, think back to Flame. I was part of the response team that dealt with this when it first emerged. When it first hit, the headlines were pretty inflammatory [...] but it was pretty advanced, and there were a couple of elements to it that are really important," he said.
"If you look at the elements of Flame used for the initial infection it's pretty important. It wasn't a zero-day [...] Flame only worked if it was inside the victim's network. That's because it pretended to be a web proxy to disturb the flow. The second thing is it exploited software issues in Microsoft. Flame looked at how our system did certificates and made it look like it came from Microsoft."
Flame was an espionage-focused malware uncovered targeting Iranian systems in 2012. It had several advanced features that led many security experts to list it as a game changer for the industry.
Reavey said to deal with emerging security issues, businesses should learn from threats like Flame and proactively work to improve their protection. "The lessons learned from Flame aren't unique to Microsoft," he said.
"I hope they haven't had to go through something like Flame, but you shouldn't ignore it and wait to do something. Crises happen, they happen to us, they happen to everyone. The important thing is for you to learn from them."