Microsoft will face more than 40 vulnerabilities in Windows Vista next year, as the operating system climbs past the 10% market-share milestone and malware authors really start to find flaws, a McAfee analyst said.
"Most of the current malware has ignored Vista," said Craig Schmugar, a threat researcher at McAfee's Avert Lab -- but that's not because the operating system has been frustratingly secure against attack. Rather, Schmugar argued, Vista's gotten off easy its first year because hackers didn't think it was a worthwhile target.
"These people make their living writing malware or attacking users," he said. "They're driven by financial motivation, and only when market share has an impact will they really work on Vista."
At some point in 2008, Vista will own a tenth of the desktop operating system market, Schmugar predicted. The milestone should mark the beginning of concerted efforts by attackers to root out vulnerabilities in the newer operating system. "Although the huge market share that XP has means [attackers] will still be profitable there for years to come, Vista at 10% will put it on their radar," he said.
According to data from Web metrics vendor Net Applications, Vista's market share was about 7.9% at the end of October, up from 7.4% the month before.
"In the short term, Microsoft's case that Vista is more secure is supported by the data," conceded Schmugar, who referred to data Microsoft has cited from its Windows Malicious Software Removal Tool. In its most recent report on the tool Microsoft said the program cleaned malware from "60% less Windows Vista-based computers compared to computers running Windows XP SP2."
Schmugar's argument is that while that number is probably accurate, Vista's better performance isn't due only to its security prowess; it also stems from the fact that hackers haven't paid much attention to it.
"You look at the big malware, the most significant threats, and there's nothing specific to Vista in them," Schmugar said. "As Vista gains in adoption, it then impacts malware authors and forces them to focus attention on finding vulnerabilities, or to alter their social engineering techniques to accommodate it."
If that concept sounds familiar -- that market share plays a part in determining the vulnerability profile of an operating system -- it's because Mac OS X users have long relied on it. "There are definitely parallels between Mac OS X and Vista" when it comes to the likelihood of an attack, Schmugar said. "Operating systems aren't bulletproof. You can have an OS that's attacked less, certainly, but a larger part [of the equation] is market share."
This expected increase in attention, as well as past trends, led Avert Labs to project that Vista will be hit with between 40 and 45 vulnerabilities during 2008, more than double the number of flaws disclosed in its first nine months.
"The National Vulnerability Database reports 19 Windows Vista vulnerabilities in the first nine months," stated Avert Labs' just-published top 10 threat predictions. "This compares with 16 Windows XP vulnerabilities during a comparable period. [But] the number of reported Windows XP vulnerabilities more than doubled in the following 12 months." Avert came up with its estimate for 2008 by using that same doubling-plus rate.
"Some of those will come from malware authors digging a little deeper into Vista," said Schmugar, "and others will come from using the research on Vista that's already been done."
Avert Labs' other predictions for next year can be found in the report posted on its Web site.