Windows 7 malware infection rate soars in 2012

But 2009 OS still 2X-3X less likely to get hacked than 11-year-old XP

Windows 7's malware infection rate climbed by as much as 182% this year, Microsoft said today.

But even with that dramatic increase, Windows 7 remained two to three times less likely to fall to hacker attack than the aged Windows XP.

Data from Microsoft's newest twice-yearly security report showed that in the second quarter of 2012, Windows 7 was between 33% and 182% more likely to be infected by malware than in the second quarter of 2011.

The infection rate for Windows RTM, or "release to manufacturing," the original version launched in Oct. 2009, was 33% higher this year for the 32-bit edition (x86), 59% higher for the 64-bit (x64) OS.

Windows 7 Service Pack 1 (SP1) -- the upgrade that shipped in Feb. 2011 -- saw even larger infection increases: 172% for x86, 182% for x64.

Microsoft blamed several factors for the boost in successful malware attacks, including less savvy users.

"This may be caused in part by increasing acceptance and usage of the newest consumer version of Windows," said Microsoft in its latest Security Intelligence Report. "Early adopters are often technology enthusiasts who have a higher level of technical expertise than the mainstream computing population. As the Windows 7 install base has grown, new users are likely to possess a lower degree of security awareness than the early adopters and be less aware of safe online practices."

But other elements came into play, argued Tim Rains, director of Microsoft's Trustworthy Computing group.

"There are several factors at play here. In XP, for example, we've seen infection rates go up because of particular pieces of malware that are more effective on that platform," said Rains in an interview. "[And] in different places in the world, [users'] ability to keep Windows up to date varies greatly."

For the first time, Microsoft ranked the threats facing each version of Windows, bolstering Rains' assertion that some malware families are more successful against, or at least more often aimed at, specific Windows builds, and thus affect the infection rates.

But security researchers were more likely to pin the blame on Windows 7's popularity.

"Windows 7 has really been the first platform adopted by both enterprises and consumers, and that kind of adoption hasn't happened in quite some time for Microsoft," said Andrew Storms, director of security operations at nCircle Security. "Given the market movements, its likely that the attackers follow."

And Windows 7 is a more popular operating system this year: From June 2011 to June 2012, Windows 7's usage share grew 45%, according to statistics from metric firm Net Applications.

Microsoft collects infection data from several sources, including the Malicious Software Removal Tool (MSRT), a free utility it distributes to all Windows users each month that detects, then deletes selected malware. It then normalizes the data by comparing an equal number of computers for each edition of Windows.

The measurements are expressed as X per thousand: Windows XP SP3's infection rate, for instance, was 9.5 in the second quarter, or 9.5 XP SP3 machines out of every 1,000.

The x86 editions of Windows 7 RTM and SP1 came with higher infection rates than the x64 versions, and Windows 7 SP1 was less likely to be infected than RTM. Windows 7 RTM x86 had the highest rate, 5.3, while Windows 7 SP1 x64 had the lowest, just 3.1.

But even with that low rate, Windows 7 SP1 x64 had the dubious distinction of sporting the largest year-to-year increase because in the second quarter of 2011, its infection rate was an even lower 1.1.

Microsoft's numbers back up the belief that Windows 7 is a more secure OS than the still-present-in-large-numbers XP, and makes a good case for users of the latter to migrate to the former, a transition Microsoft and industry analysts have long supported.

If history is any guide, Windows 7's infection rate will continue to climb as its market share does the same, and won't begin to decline until a successor replaces it on a large number of PCs.

"There is probably no single technology feature set that can explain infection rates in either incline or decline," said Storms. "It has more to do with what the attackers want to attack. And as we have seen, attackers generally get what they want."

The 146-page Security Intelligence Report Volume 13 can be downloaded from Microsoft's website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place