The five-minute rumour
Once again, the dispute has flared up. Some people say that it only takes five minutes for an unpatched Windows PC to be compromised; Others say it takes hours. Why don't we just agree that both figures are wrong?
While we're at it, let's agree that both estimates are, to put it kindly, nonsense; in the worst case, those spreading such rumours are just trying to cause panic. After all, what is an unpatched system if not one that simply lacks the last update or two? That can happen to any of us, which is why such estimates are simply worthless.
Such guessing games only concern systems that are both vulnerable and reachable remotely. Time was that such assumptions were accurate, as worms like Sasser impressively demonstrated. Within a few minutes, they infected Windows computers used by people who had done nothing but access the internet. Since then, a lot has changed. Today, you can't buy such a vulnerable system anywhere. Nor could you last year, or the year before that.
Windows XP Service Pack 2 ended all that. Since then, Windows Firewall has been active on all network connections, by default, protecting your system from unsolicited incoming packets. Remember: SP2 was released almost four years ago, and official support for XP systems without it expired in 2006. In other words, all Windows XP systems that have been even rudimentarily updated in the past few years are protected against such attacks. Of course, all systems still receive a malicious packet every few minutes, but the firewall generally tosses them out before they can do any harm (1).
Don't get me wrong: there are still considerable dangers lurking out there for Windows users. They just aren't the same risks that everyone was talking about a few years ago. The days of Sasser & Co. are over. Indeed, classic email trojans are no longer the main problem either. These days, most malicious software is injected when people visit web sites. Hundreds of thousands of web sites are compromised, exploiting security flaws in Internet Explorer, Adobe Reader, the Flash plug-in, and any number of other commonly used apps you care to mention. Those are the real dangers that the internet poses for normal users. And that's the point: such dangers can no longer be measured in average survival times.
(1) While some security flaws in the TCP/IP stack can be exploited despite Windows' firewall, such as MS08-001, I am not aware of any mass attacks along these lines.