Windows Vista will continue to be attacked and exploited. In 2007, the number of publicly known exploits of Vista was down compared to those of XP (as predicted by many observers), but the numbers weren’t down significantly enough to make anyone feel like they could compute in relative safety. It will be nice if the number of Microsoft Office-related exploits goes down. 2006 and 2007 were banner years for Microsoft Office exploits. [Disclosure: I work full-time for Microsoft]. Because of SDL, I expect exploits in XP, Vista, and Office to go down in 2008.
Of course, no matter how secure an operating system is, most exploits will continue to rely on socially engineering users to install things they otherwise shouldn’t. As I covered in several previous columns, client-side attackers make up more than 90 percent of all malicious compromises. I don’t see that changing: User behavior is tough to alter.
Last year I predicted a decrease in malware spread using e-mail vectors and an increase in exploits using Web sites. The only real surprise was the sheer number of completely innocent, commercial Web sites used to spread malware.
Application-side vulnerabilities will continue to grow. Quicktime, RealPlayer, Flash, and Windows Media Player all had significant exploits this year, and the numbers are still trending upward. Exploits will continue to target VoIP (Skype and the like) and social portals (YouTube, Facebook, Myspace, and others), as rootkit Trojans continue to grow in prevalence.
Will 2008 finally be the Year of the Massive Cell Phone Exploit? The popularity of the iPhone would almost dictate that it will be, but if that was the case I would have expected a major iPod exploit by now. Every year dozens of computer security prognosticators predict a cell phone virus will panic the world. But we’ve been predicting that since 1999 when a widespread Trojan hit Japan’s DoCoMo cell phone network. I’m not holding my breath. It will happen when cell phones become more popular than computers for online banking and commercial transactions. (And that will happen -- I just don’t think it will be this year).
So, expect more of the same next year. I don’t see any paradigm shifts. Computer security vendors aren’t likely to make you significantly safer, and what the criminals are already doing is working quite well for them, so there’s no need for them to shift tactics.