Microsoft has a lot to do in the next year to deliver on its security promises. But the company's come a long way since it launched its Trustworthy Computing initiative.

That was the message from Mike Nash, the corporate VP in charge of Microsoft's Security Business Unit. Nash reiterated Microsoft's security priorities as part of a 70-minute "Executive Circle" Webcast on Monday.

Nash didn't offer up any new security news during his remarks. He said Microsoft was on course to deliver on the security strategy it outlined for customers a few months ago. First and foremost, Microsoft is focused on improving the patching experience. Secondly, it is working to provide more guidance and training. Thirdly, it is focused on "mitigating vulnerabilities" without patches. And lastly, the company is working to continue to improve product quality to lessen the need for patches in the first place.

Nash focused on improvements Microsoft has made since Chairman Bill Gates launched Microsoft's Trustworthy Computing imperative in January 2002.

Nash noted that exploits have become more sophisitcated over a relatively short period of time, making current patching approaches insufficient. He showed a chart that detailed the number of days between patches and exploits. In the case of Code Red/Nmidia worm, 331 days elapsed between the patch and exploit. With SQL Slammer, the time between patch and exploit was 180 days. With the Welchia worm, it was 151 days. But with MS Blaster, there were only 25 days between patch and exploit.

Nash had other data in his security-record arsenal. He said that in the first 90 days following Microsoft's introduction of Windows Server 2000 (the "pre-Trustworthy-Computing era), the company discovered eight "critical" or "important" vulnerabilities in the server code. Comparatively, Microsoft unearthed three critical/important vulnerabilities in Windows Server 2003 (which is considered a product of the company's Trustworthy Computing initiative) during its first 90 days on the market. In the first 180 days following each product's debut, there were 21 critical/important Windows Server 2000 vulnerabilities, compared to six Windows Server 2003 ones, Nash said.

Nash also cited a reduction in the number of security bulletins issued in the pre-Trustworthy-Computing and post-Trustworthy-Computing periods for Exchange Server 2000 (from six bulletins to one) and SQL Server 2000 (from 11 to two) as evidence that the company's focus on security is making a difference.

Microsoft has a number of new security-related product and technology rollouts slated for the next couple of years. Nash reiterated the timetables for these during his Webcast remarks.

In the first half of 2004, Microsoft will deliver Windows XP Service Pack 2 (with a number of new security fixes and features); Software Update Services 2.0; Microsoft Update (its new, single patch repository for multiple products); broad security training for partners and customers; and other sundry "patch enhancements," Nash said.

In the second half of 2004, Microsoft will deliver Windows Server 2003 Service Pack 1 (which will feature new secure-server configuration capabilities and an "inspection environment" capability that will test client machines for security violations before they are allowed to log onto the corporate network).

Nash directed Webcast attendees to Microsoft's Security Best Practices site for more information on what Redmond's doing to improve the security picture.