First there was DOS, then Windows, then more and more versions of Windows. At every level, the new operating system absolutely had to support programs written in all but the most ancient old ones. As demonstrated in a talk today at the Black Hat security conference, this thirst for backward compatibility opens up huge possibilities for malicious software writers.
If you ever accidentally load a Windows EXE file into WordPad, you'll see it begins with the letters MZ. These are the initials of Mark Zbikowski, an early MS-DOS developer, and they go all the way back to the first DOS EXE files. A bit latter you'll see the letters PE, standing for Portable Executable. Mario Vuksan and Tomislav Perecin, founders of Reversing Labs, went into great detail about the many ways malefactors can misuse the PE file format.
The precise details of this pair's demonstration would be of interest only to experts, and a room full of experts ate up every word. The "malformations" they displayed all serve to help hide malicious code from static or dynamic analysis, so the malware can execute without being detected.
Microsoft can't just close the holes in the PE format, because many older programs would stop working. In addition, this PE format isn't limited to your PC. You'll find it in Windows CE, XBOX, ReactOS, and others. The presenters concluded that malware researchers simply need to be aware of all these possible malformations and take them into account when analyzing code.
For ordinary users, this will translate into improved security. If you're an expert who just happened not to be in the room, the full discussion is available here.