Windows XP still less secure than Win 7 and Vista

The latest Microsoft Security Incident Report illustrates once again that Windows XP is significantly less secure.

Microsoft has released a new Security Incident Report--the eighth volume of Microsoft's quarterly overview of computer and network security trends. The report illustrates once again that security can be greatly improved by upgrading to the latest software, and through user education.

The Key Findings Summary points out some of the more relevant data discovered over the past three months. Here are some of the highlights:

• The 64-bit versions of Windows 7 and Windows Vista SP2 had lower infection rates than any other operating system configuration in 2H09, although the 32-bit versions both had infection rates that were less than half of Windows XP with its most up-to-date service pack, SP3.

• Domain-joined computers were much more likely to encounter worms than non-domain computers, primarily because of the way worms propagate. Worms typically spread most effectively via unsecured file shares and removable storage volumes, both of which are often plentiful in enterprise environments and less common in homes.

• In Windows XP, Microsoft vulnerabilities account for 55.3 percent of all attacks in the studied sample. (comparing targets of browser-based exploits)

• In Windows Vista and Windows 7, the proportion of Microsoft vulnerabilities is significantly smaller, accounting for just 24.6 percent of attacks in the studied sample. (comparing targets of browser-based exploits)

Vinny Gullotto, general manager of the Microsoft Malware Protection Center wrote in a post on The Official Microsoft Blog "The Internet holds great opportunity, but as cybercrime evolves it can be difficult to know how to stay protected."

Gullotto goes on to explain "As businesses continue a gradual migration toward cloud computing, bot herders in the malware community have adopted their own version of cloud computing--a "black cloud" built on global networks of compromised computers to install spyware, spread malware and spam around the world. Moreover, malware kits are developed, released, and updated just like legitimate products--complete with advanced features and minor releases to improve kit effectiveness."

I spoke with Graham Titterington, principal analyst at Ovum, about the Microsoft Security Incident Report, and he also pointed out the continuing trend of malware and other cyber attacks toward organized crime. Titterington told me that cyber criminals are very sophisticated, some even more so than legitimate businesses--complete with research and development teams, marketing, beta testing, and other tools to ensure the efficacy of the malicious code they develop.

Many look to legislators to craft new laws with harsher penalties to address the rise in cyber attacks and cyber crime. The problem with new laws is twofold. First, laws only hinder the activities of the law-abiding. Cyber criminals are already aware they are breaking the law, and obviously they don't care. So, creating new laws will not impede cyber attacks.

The other--perhaps even larger issue--is that the Internet is global, but laws are regional. Just because an attacker violates a law in the United States doesn't mean they have violated a law in Argentina. Tracking an attack to its true source, and engaging local authorities to cooperate in apprehending the perpetrators is like herding cats.

According to Titterington, the best that law enforcement can do to stop, or at least slow, cyber attacks is to follow the money. Disrupting the means for attackers to benefit monetarily from the attacks is arguably the quickest way to shut them down.

The latest Microsoft Security Incident Report also includes a new section with guidance from Microsoft on how to mitigate or protect against the threats described. The report says "Transform your security message from "no" to "how." Demonstrate to your organization how to be secure rather than telling them what they can or cannot do."

The advice from Microsoft includes tips such as using creative and engaging formats such as podcasts or contests, and focusing on "how-to" type formats. Microsoft also stresses the importance of basic user education--keeping users informed not to click on unknown or suspicious links, how to create and use strong passwords, not to share username or password information, and other common sense measures that need to be drilled on a regular basis.

The full Microsoft Security Incident Report v8 has 12 pages of information and links to additional resources to help IT administrators take specific action to protect their networks and computer systems from the threats discussed in the report.

Tony Bradley is co-author of Unified Communications for Dummies. He tweets as @Tony_BradleyPCW. You can follow him on his Facebook page, or contact him by email at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftwindows xp

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?