Microsoft needs to persevere with its "trustworthy computing" programme says Jay Garden, chief of the government's Centre for Critical Infrastructure Protection (CCIP).
"Malformed input shouldn't be able to cause this sort of effect," he says of the Blaster worm, currently attacking networks around the world.
Blaster, which exploits a hole in Microsoft's Remote Procedure Call (RPC) distributed component object model (DCOM), appears to have peaked with anti-virus vendor Symantec reporting a drop in infection rates of around 30% since Monday.
Garden says managing security by simply issuing patches to fix problems isn't enough and he wants to see Microsoft make more of its promise to improve security.
"If they can reduce what they call the 'attack surface area' then the number of interfaces they have to the outside world, like RPC, reduces."
Garden says the other end of the security spectrum is simply "building better code" and that Microsoft should be working on both issues at once - remediation of existing code and improvement of design.
"The third one I would hope they're working on is the issue of if something does go wrong it shouldn't then jump to having a system-wide level of access. Operating systems are getting better at that."
Garden is not sure that having a more diverse application base would help with the ongoing virus problem either.
"This isn't a Microsoft-only problem so I don't think having more than one application or operating system is going to change that. If you have 80 operating systems you're going to have more vulnerabilities, not [fewer]."
Meanwhile Microsoft's problems with its 0800 800 004 support number seem to be at an end. After receiving a 10-fold increase in calls to the number in the past few days, resulting in the phone system failing, calls have tailed off somewhat since Thursday morning.