According to a McAfee analyst, Windows Vista could be hit by more than 40 security vulnerabilities next year, as its market share increases to the point where hackers start to take notice.
"Most of the current malware has ignored Vista," said Craig Schmugar, a threat researcher at McAfee's Avert Lab. But that's not because the operating system has been frustratingly secure. In fact, Schmugar argued, Vista has been a worthwhile target in the first year of its release.
"These people make their living writing malware or attacking users," he said. "They're driven by financial motivation, and only when market share has an impact will they really work on Vista."
At some point in 2008, Vista will own a tenth of the desktop market, Schmugar predicted. The milestone should mark the beginning of concerted efforts by attackers to root out vulnerabilities. "Although the huge market share that XP has means [attackers] will still be profitable there for years to come, Vista at 10 percent will put it on their radar," he said.
According to data from web metrics vendor Net Applications, Vista's market share was about 7.9 percent at the end of October, up from 7.4 percent the month before.
"In the short term, Microsoft's case that Vista is more secure is supported by the data," conceded Schmugar, who referred to data Microsoft has cited from its Windows Malicious Software Removal Tool. Microsoft recently said the tool cleaned malware from "60-percent less Windows Vista-based computers compared to computers running Windows XP SP2."
Schmugar argues that while that number is probably accurate, Vista's better performance isn't due only to its security prowess; it also stems from the fact that hackers haven't paid much attention to it.
"You look at the big malware, the most significant threats, and there's nothing specific to Vista in them," Schmugar said. "As Vista gains in adoption, it then impacts malware authors and forces them to focus attention on finding vulnerabilities, or to alter their social engineering techniques to accommodate it."
If the idea of market share playing a part in the vulnerability profile of an operating system sounds familiar, it's because Mac OS X users have long relied on it. "There are definitely parallels between Mac OS X and Vista" when it comes to the likelihood of an attack, Schmugar said. "Operating systems aren't bulletproof. You can have an OS that's attacked less, certainly, but a larger part [of the equation] is market share."
This expected increase in attention, as well as past trends, led Avert Labs to project that Vista will be hit with between 40 and 45 vulnerabilities during 2008, more than double the number of flaws disclosed in its first nine months.
"The National Vulnerability Database reports 19 Windows Vista vulnerabilities in the first nine months," stated Avert Labs' just-published top 10 threat predictions. "This compares with 16 Windows XP vulnerabilities during a comparable period. [But] the number of reported Windows XP vulnerabilities more than doubled in the following 12 months." Avert came up with its estimate for 2008 by using that same doubling-plus rate.
"Some of those will come from malware authors digging a little deeper into Vista," said Schmugar, "and others will come from using the research on Vista that's already been done."