We have seen things getting worse every year

Alex Shipp, MessageLabs

Anyone at Microsoft writing software who has to choose between adding new features or making them more secure, should choose security every time.

"Our products should emphasise security right out of the box, and we must constantly refine and improve that security as threats evolve," wrote Mr Gates.

Many Microsoft watchers have compared the mail to the moment in 1995 when it recognised that importance of the internet, and the announcement in June 2000 of the .Net initiative which updated this web-centred strategy.

Security failings

But others are more sceptical about the substance of the e-mail.

"It's about time, perhaps overdue," said David Smith, an internet strategist at research firm Gartner.

Mr Smith said before now Microsoft products have done much to undermine the security of the internet.

Windows XP was vulnerable

The biggest virus outbreaks of the last two years can all be traced to vulnerabilities in Microsoft software, especially its popular Outlook e-mail program.

The Code Red worm, which disrupted the lives of tens of thousands of net users, spread by exploiting problems with Microsoft's Internet Information Server.

Even XP, which Microsoft has declared its "most secure operating system ever", is not free of security failings.

In late December, eEye Digital Security discovered a hole in Windows XP which could have been used by malicious hackers to take remote control of a PC.

Even Scott Culp, Microsoft security manager, called it "a very serious vulnerability".

PR problem

The same Mr Culp criticised security researchers recently for their zeal in spreading information about weaknesses in Microsoft software.

He said the swift circulation of vulnerabilities alerted vandals and malicious hackers to their existence, and fostered attempts to exploit the loopholes.

Viruses caught in the last 12 months

Feb 01 - 46,291 Mar 01 - 27,186 Apr 01 - 33,606 May 01 - 95590 Jun 01 - 60,497 Jul 01 - 144,225 Aug 01 - 229,069 Sept 01 - 204,650 Oct 01 - 164,690 Nov 01 - 268,740 Dec 01 - 479,703 Jan 02 - 115,011 Source: MessageLabs

Instead, Microsoft would prefer if the vulnerabilities were kept quiet until patches could be developed.

Many said the desire to limit who gets to know about security problems was simply an attempt by the corporation to stifle bad news.

"Microsoft treats security vulnerabilities as public relations problems" said respected security researcher Bruce Schneier in a recent edition of his widely-read Crypto-Gram newsletter.

He said Microsoft should be more open about its products, especially as most of the loopholes are discovered by independent researchers.

Mr Schneier cited a study by Megan Carney at the University of Minnesota which showed that barely 10% of the software vulnerabilities reported to the Computer Emergency Response Team in 2001 were discovered by the makers of a program.

As an example, a recent article in the self-styled hacker quarterly 2600 declared that compromising Passport, Microsoft's method of identifying .Net users, was "easy to accomplish".

Alex Shipp, senior anti-virus technologist at MessageLabs, said he doubted Microsoft's conversion to the cause of good security would make much difference because so much of its software was already in circulation.

"We have seen things getting worse every year," he said.

Microsoft faced more problems than most because its software was complex, widely used, often poorly administered and was regularly targeted by both malicious hackers and virus makers, said Mr Shipp.

"The virus writers always go for the things that spread their virus best," he said. "They target Microsoft because it is so successful."