Windows XP users six times more likely to be hacked

Byron Acohido | USA TODAY

Show Caption Hide Caption Windows XP security patches ending soon Microsoft plans to stop issuing security patches for Windows XP next April, leaving mllions of PCs even more vulnerable to hackers.

SEATTLE — Microsoft's venerable Windows XP operating system is six times more likely to be successfully hacked than newer Windows 7 and Windows 8 personal computers.

Microsoft disclosed that metric at the RSA Conference in Amsterdam this morning. The software giant hopes to compel XP users to dump XP and upgrade to Windows 7 or Windows 8 — before it ends all XP support, including issuing security patches. That will happen come April 8, 2014.

"XP has been a beloved operating system for millions and millions of people around the world, but after 12 years of service it simply can't mitigate the threats we're seeing modern-day attackers use," says Tim Rains, director of Microsoft Trustworthy Computing.

Criminal hackers, as you might imagine, can't wait until April 8. That's because most consumers are clueless about the true scope of security risks. And thousands of companies, for economic and operational reasons, appear intent on continuing to use XP machines well after Microsoft officially stops supporting XP, which was launched in October 2001.

But the intense good-guy vs. bad-guy race to find and exploit new holes in Windows 7 and Windows 8 is not going to stop. The key point is this: Microsoft will continue to issue security patches for Windows 7 and 8, but not for XP.

Security experts anticipate that cybercriminals will move to take advantage. Historically, about two thirds of malware developed for Windows 7, for instance, work well on Windows XP, says Wolfgang Kandek, chief technology officer at cloud-based security firm Qualys.

STORY:WinPatrol detection tool can help protect XP users

Every time Microsoft issues new security patches for Windows 7 or 8, which it does on the first Tuesday of each month, hackers will get a list of fresh, never-to-be-patched security holes in most XP machines still in use.

"Attackers can take information about new problems with Windows 7 and say, 'I wonder if this works also in XP,'" says Kandek. "With no more patches available, XP will make a good target for hackers."

The sheer number of Windows XP machines still in operation provides ample incentive for the bad guys. Of the estimated 1.3 billion Windows PCs in use globally, some 21% use Window XP, according to StatCounter. And if you count the PCs accessing the Internet, as NetMarketShare.com does, some 31% are Windows XP machines.

Microsoft has stuck by XP longer than any previous version. It went eight years before cutting support for Windows NT, 11 years before doing the same with Windows 2000 and it will go 13 years before pulling the plug on XP, points out Rob Kraus, research director at security management firm Solutionary.

"Having an operating system in place for 13 years is a testament to the work Microsoft has put into the OS," Kraus says.

It was with XP Service Pack 2 in 2004 that Microsoft first enabled firewalls for Windows users by default. Subsequently, the software giant endured costly delays in the launch of XP's successor, Windows Vista, mainly to make major security upgrades. And then it reinforced those security protections in Windows 7 and 8.

"Microsoft fundamentally redesigned the operating system after XP," says Phil Lieberman, president of security consultancy Lieberman Software. "Trying to patch such an old operating system is akin to doing repairs to an old building that everybody agrees needs to be torn down."

Even so, it's highly likely millions of consumer and business XP machines will continue in use after April 8. A French company, Arkoon, has even begun offering a service that will identify vulnerabilities in XP machines after Microsoft stops issuing security patches.

And Microsoft itself is offering a failsafe for companies who can't , or won't, sunset XP. They might qualify to purchase "custom support" from Microsoft to receive critical security updates and related technical support.

Companies that face switching large numbers of XP workstations or that risk losing use of old business apps that won't run well on newer versions of Windows must do the cost vs. benefit calculation.

Pierluigi Stella, chief technology officer of Network Box USA , says for many companies still using XP, the wisest course will be to bite the bullet and upgrade.

"Generally speaking, most companies typically can be migrated without major issues," he says. "It's only a matter of planning, budgeting and executing."