The Windows XP Zombie Apocalypse

"Supporting operating systems beyond their end-of-life is nothing new for the corporate IT department, and there are plenty of ways-and-means to reduce or mitigate the risks associated with unsupported software. In the meantime, Google has said that it will support its Chrome web browser on Windows XP until April 2015, and antivirus vendors (including Microsoft) have said they will continue to update their software running on Windows XP computers until 2015."

While Windows XP and Windows 7 stand roughly shoulder-to-shoulder in terms of infection rates when there is no real-time anti-malware protection in place, with such armour Windows 7 leapfrogs clearly into the 'much safer' category.

What isn't in question is that, after today, software updates (wave goodbye to Patch Tuesday' for XP and service packs) will cease and desist. Even if a gaping big vulnerability is uncovered, regardless of whether there's a zero-day in the wild causing all kinds of damage or whatever, there will be no more security patches.

That much is stone cold fact. Existing patches may well - given the sheer number of XP instances still out there - be available online for some time yet. That doesn't alter the frankly worrying fact that any new vulnerabilities are going to be left to unpatched and accessible for anyone to exploit as they wish.

Research suggests that as many as a third of existing malware infections across operating systems can be put down, at some level, to a lack of timely security patching. It's common sense really, and doesn't take an IT security genius to work out that an unpatched piece of software (be that third-party application or core OS) is far more likely to get infected by an exploit than one that has been patched against a specific vulnerability.

At the OS level, it's also clear that while Windows XP and Windows 7 stand roughly shoulder-to-shoulder in terms of infection rates when there is no real-time anti-malware protection in place, with such armour Windows 7 leapfrogs clearly into the 'much safer' category.

Windows 8 hasn't been covered off in this feature yet for two key reasons. Firstly it just hasn't made any kind of impact upon the enterprise migration radar as of yet. Secondly, real-time protection comes built-in and, as a result infection rates are so low as to be all but invisible right now.

Indeed, about 0.2 per 1,000 compared to 4.2 per 1,000 for XP machines. Take away the real-time malware protection and XP rates shoot up to 15.6 per 1,000 according to Microsoft's own Malicious Software Removal Tool figures. This latter statistic is an important one in terms of the Windows XP security risk analysis. That's because the bad guys tend to focus their attention and resources where the biggest profit lays.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.