(This note has nothing to do with capability design except to encourage the search for secure OS designs.)
While this point has been broadly agreed upon, some of the ramifications are little commented upon. Any program can do anything that another can do. The situation is getting worse for Internet provides an increasingly ubiquitous and ever more convenient channel for the virus to repatriate its booty. Even Unix, which does inhibit some actions, lets any program send data grams to anyone in the world. Various people have observed that a virus or Trojan horse can easily install itself to capture key strokes. Passwords can be extracted and transmitted in UDP packets. A virus can patch PGP or similar programs to capture secret keys as they are prepared for legitimate use. Many precautions can be taken but each has counter measures. Without a secure OS I think that this battle goes to the attacker. The target must first discover that he has been attacked, and how, before he can even begin to design counter moves.
Some propose to put really sensitive secrets such as private keys on smart cards designed never to release the secret. Assuming that the attacker never gets his hands on the card and that timing attacks cannot be mounted from inside a compromised personal computer there remain grave threats. Un-bidden software within the compromised computer can intervene in the logic of the code with legitimate access to the card, to include additional tasks, such as signing bogus checks. Other additional tasks might be the recovering the secret key used on old e-mail. No record will be left of these actions. The thief has no need to steal the card or its password!
There are simple arguments that there must be a trusted communications channel between the real holder of the private key, and the conceptual holder (person?) who is considered to control that private key. This channel must be able to describe the proposed action. The keyboard and screen of a compromised computer can not be trusted as such a channel.