Microsoft's efforts to limit the ongoing damage from worms such as Blaster will not pay off for several years, according to security experts.

New Windows PCs will begin shipping with security switched on by default for the first time, with the release of Windows XP Service Pack 2 this summer, but it will take five or six years before such basic protections are common on the installed base of PCs, according to a Symantec executive.

Such unprotected PCs are increasingly being used to spread worms such as Blaster and junk email, usually without the PC owner's knowledge; a recent Symantec survey found that a system will, on average, receive a Blaster-generated packet of data within one second of connecting to the Internet.

"The threat will reduce slowly as we start to have security more widespread," Nigel Beighton, Symantec's director of community defence, told Techworld. "The industry has learned it has to ship technology with security switched on. But right now there are millions of Windows 98 users still out there, there is still a huge number of legacy PCs around, and it will take five or six years for that situation to change."

Last week, Microsoft revealed that the various flavours of the Blaster worm has infected at least eight million PCs since it first appeared in August, based on data from its Windows Update. Security experts say the company is doing the right thing by making Windows PCs secure by default, but say such steps are only a beginning.

A major problem contributing to the ongoing spread of Blaster, Welchia and similar worms is that new PCs are still shipped with the flaws that allow them to spread, such as the Remote Procedure Call (RPC) flaw exploited by Blaster, anlaysts said. "The Microsoft operating system ships unpatched," said Thomas Kristensen, CTO of security firm Secunia. "If you go online with a broadband or dial-up connection to get the security updates, it's possible for Blaster to attack and infect your machine."

One solution would be for Microsoft or system manufacturers to add the security patches before selling a machine, but the decentralised, commodified nature of the PC industry would make this strategy difficult, experts said. "Retailers could offer a secured PC with the updates installed, but consumers could always go and find a PC with a lower price where you have to upgrade it yourself," said Beighton. "In a commodity market, the consumer will always look for a bargain."

Rather than try to keep OEMs around the world up to date with security patches, Microsoft's move with SP2 will be to turn on security features such as, crucially, Windows XP's built-in firewall, which will protect users from attacks such as RPC exploits. This could have problems of its own, with some industry observers predicting it will lead to a huge upsurge in technical support calls; the firewall will block access to services that were previously available, such as game servers, unless it is reconfigured.

The move should make a difference - at least to buyers of new PCs. "Anybody who's bought an up-to-date machine in a year's time will be in a considerably better position than they are now," said Beighton. However, the real problem isn't new PCs, Beighton noted, it's the millions of older machines still in use without protections or updates of any kind.

Even if these users are diligent, they will find it difficult to upgrade if they have a dial-up connection; Microsoft's service packs make the updates easier to download and install, but they only appear three to six months after a threat has materialised, Beighton said.

An alternative is Microsoft's new patch CD programme, allowing users to order a CD containing security updates for machines running Windows 98 and newer software. The CD is a one-off offering, and only contains patches up to October 2003, a Microsoft spokeswoman said.

Most users may not be that diligent, however. Symantec found that many worms continue to spread even after their built-in expiry date has passed, because the PC's clock has not been set properly. "That's how ill-administered they are," Beighton said.

Blaster and its ilk represent a major new trend that has emerged in hacking in the past three years or so, say security experts. Previously, attacks were carried out by individuals, but now the process has been almost entirely automated, with hackers sharing code that takes advantage of well-known exploits.

Seventy percent of vulnerabilities in 2003 required no new exploit code, up from 60 percent in 2002, according to a Symantec threat report published last month. Symantec found that blended attacks like Blaster - which combine the characteristics of viruses, worms, Trojan horses and malicious code with vulnerabilities to spread an attack - are increasingly exploiting back-doors left by previous worms.

This year, for example, the Doomjuice and Deadhat blended attacks both made use of the back-door left by MyDoom in January 2004, Symantec said.