In a report released last month for a congressional advisory panel, Northrop Grumman analysts detailed exactly how this happens. Looking at known attacks, the report found that targets are carefully selected, and then sent very believable e-mails with maliciously encoded attachments that exploit bugs in a product such as Adobe Reader -- something that's outside of Microsoft's control. The victim opens the .pdf and suddenly attackers have a foothold on the network.
Microsoft customers like Paul Melson think there will be much broader enterprise adoption of Windows 7 than there was with Vista, which was largely ignored by corporate users. But while Microsoft has its own house in order, security is still a problem on the Windows platform, according to Melson, a manager of information security with Priority Health.
"As long as third-party patching continues to be a challenge, client security will continue to be at the forefront of information security defense and incident response," he said via e-mail. "Windows 7 won't significantly reduce client-side attacks that lead to compromises, but I don't think that Microsoft should bear the burden for it, either."
Microsoft thinks it can go a long way toward solving this type of problem by improving the way people identify each other on the Internet. For the past few years it has promoted an idea it calls "end-to-end" trust, saying it wants to develop better identification mechanisms for people, computers and software on the Internet.
Microsoft has taken its first step in this direction with its Windows CardSpace identity management software. It could help give people a better sense of who they're really dealing with on the Internet, but whether the rest of the industry will buy into this vision remains to be seen.
"This is the next phase in the battle for trustworthy computing and that is still getting ramped up," Mundie said. "Clearly there's always more to do."
(Nancy Gohring in Seattle contributed to this story.)