I have been following the security focus mailing lists for years now so it is interesting what kind of trends you notice (SecurityFocus.com is now owned by symantec but has lots of great security articles and mailing lists). One thing I have noticed is the lack of opperating system vulnerabilities. There used to be windows worms, tcp overflows in *nix, etc. but not anymore. I really wonder why this is. Well here are my theories.

1. Age. Developers of opperating systems are now quite experienced and know that their are hackers out there and really code with this in mind.

2. XPSP2. Yes only a windows item but by having a firewall that is ON by default really cuts down the attack vector to either the open ports, or the firewall application itself.

3. Low hanging fruit. There are lots of new developers out there that don't know about security because a lot of schools dont teach about it. These developers build applications that are easy to exploit through common means. This makes them an easier target and usually the easy ones get picked off first.

4. No one is looking. With the variety of operating systems out there it really limits the systems you can hack if you find a vulnerability (well unless it is a windows one). It is much easier to target an application like apache or mysql that is running on a lot of operating systems

5. Cost. A shop developing an OS has much more resources to put towards security. Joe average coding a forum in his moms basement... not a lot of security resources.

I really do hope to see the security knowledge being passed into our everyday life to move the low hanging fruit a little higher.