As the latest mass-mailing worm spread across the Internet on Monday, infecting many tens of thousands of Windows PCs with a program designed to attack the servers of Unix vendor SCO Group on 1 February, Gates stressed the importance of security to his company's products, but said that competing vendors -- such as SCO -- were courting danger by sitting back.
"A high volume system like [Windows] that has been thoroughly tested will be by far the most secure," Gates told the audience at the Developing Software for the future Microsoft Platform conference at London's Queen Elizabeth II Conference Centre. "To say a system is secure because no one is attacking it is very dangerous," said Gates, referring to operating systems that have a smaller share of the desktop market, such as Apple Mac OS and Linux.
Noting the large number of major virus epidemics during the past two years, Gates said that in some ways "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
But patch management continues to be the largest headache, said Gates. "Everybody who had their software completely up to date [during the epidemics] was immune to those problems. But only 20 percent of our customers were, so obviously we weren’t doing enough." Part of the problem is with taxonomy, said Gates, such as making clear whether a patch is essential or just advised. Furthermore, patches are too large, and their regularity was not predictable. For instance, in December, Microsoft issued a patch through its Automatic Update service just one day after saying that it would issue no patches that month.
Gates said that "virtually all" Microsoft customers are now using automatic patching, but in the past even this has proved problematic. Last August, many companies were left open to a new virus because a flaw in the Windows Update service led them to believe -- wrongly -- that they were protected from MSBlast.
Microsoft software architect Chris Anderson, who is working on Longhorn, explained another problem with patches: "Today, virus writers don’t find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
Gates also said Microsoft is looking at ways of developing email protocols so that a recipient can verify the sender of the email. "This is critical for security," he said, "and for getting rid of spam."