Vulns will be found in PDF, Flash, and Java
There are vulnerabilities in Acrobat Reader, Adobe Flash, and Java today that will be announced and patched in 2013. Update: Because the twitterati tricked me into it, I'll shave my head if this prediction fails. Update: On January 10, an 0day was announced in Java. Two to go. Update: It's February 13, and some Flash 0days have been patched, as well as some more Java 0days.
Defenders will be surprised by exploits in PDF, Flash, and Java
Information technology departments will continue to manage the network as if exploitation of PDF, Flash, and Java is not an important threat. Desktops will continue to be on the "insides" of the network with access to everything, instead of being firewalled off. After a massive breach, they will change anti-virus vendors, still believing that anti-virus works as long as you choose the right anti-virus.
Defenders will be surprised by exploitation of SQL injection
Information technology departments will still not pressure consultants and vendors to take responsibility for SQL injection. They will still not institute policies like "no code on servers that pastes strings together instead of using parameterized queries". They will continue stages of denial, like "it requires a password therefore hackers can't get to it".
Blame it on the Chinese
Everyone will continue to hype the threat of Chinese hackers. Defenders will excuse their failings to lock down desktops and stop SQL injection by claiming "you can't expect me to defend against state sponsored hacking". The NSA/military/bureaucrats will hype the Chinese threats to pass laws giving them more access to your information, and giving you less access to government information.
...and more of 2012
Like we said last year, vendors and con presenters will push the cloud, SCADA, cyberwar, hacktivism angles. Moreover, we increase our odds to 85% that that the Mayan apocalypse will not happen.