As the latest mass-mailing worm spread across the Internet on Monday, hitting Windows PCs with a program designed to attack the servers of Unix vendor SCO Group on Feb. 1, Gates stressed the importance of security to his company's products but said companies such as SCO were courting danger by sitting back.
"A high-volume system like (Windows) that has been thoroughly tested will be by far the most secure," Gates told the audience at the Developing Software for the future Microsoft Platform conference at the Queen Elizabeth II Conference Centre here.
"To say a system is secure because no one is attacking it is very dangerous," said Gates, referring to operating systems that have a smaller share of the desktop market, such as Apple's Macintosh OS and the open-source software Linux.
Noting the large number of major virus epidemics during the past two years, Gates said that in some ways, "hackers are good for maturation" of the platform, because they have forced the company to develop new inspection techniques for the code.
But patch management continues to be the largest headache, Gates said. "Everybody who had their software completely up-to-date (during the epidemics) was immune to those problems. But only 20 percent of our customers were, so obviously, we weren't doing enough."
Part of the problem is with taxonomy, Gates said, such as making it clear whether a patch is essential or just advised. Furthermore, he said, patches are too large, and their regularity was not predictable. In December, for instance, Microsoft issued a patch through its Automatic Update service just one day after saying it would issue no patches that month.
Gates said "virtually all" Microsoft customers are now using automatic patching, but in the past, even this has proved problematic. Last August, many companies were left open to a new virus, because a flaw in the Windows Update service led them to believe--wrongly--that they were protected from MSBlast.
Microsoft software architect Chris Anderson, who is working on Longhorn, explained another problem with patches: "Today, virus writers don't find holes," he said. "They just sit back and wait for patches to appear, and then it is a race to write the first virus. We want to get patch deployment down from days or weeks to hours."
Gates also said Microsoft is looking at ways of developing e-mail protocols so that a recipient can verify the sender of the e-mail. "This is critical for security," he said, "and for getting rid of spam."
ZDNet U.K.'s Matt Loney reported from London.