Fair’s fair

Dave Farber today said:

As of the time of this posting , the ms home page certainly does not have
any eye catching pointer to the fix. Shame on them.

To which I replied as follows:

To be fair, Dave, there are several ways to learn about security patches as soon as they’re released besides the MS home page (which I rarely visit). One channel, of course, is the ubiquitous (and frequently sensationalistic or incorrect, but hey, that’s another story) press reports, as represented by the Reuters report. It was filed at 8:11pm on 8/22. 99.9% of the time, press reports lag the other channels of notification, though.
First off, Microsoft has a free email service that sends security bulletin notifications. Visit http://www.microsoft.com/technet/security/bulletin/notify.asp or send email to securbas@microsoft.com. The bulletins are PGP-signed, so you can verify their authenticity if you like. If you don’t want to sign up for the MS notification service, you can subscribe to Ntbugtraq or other similar services which reprint the bulletins as they are issued. The Office security bulletin was released overnight on the 20th, so you would have learned about the bug two days earlier than Reuters reported it if you were a bulletin subscriber.
If you use the new Software Update Service (available for WinXP and Windows 2000 SP3), you’ll get a little system tray icon that appears when new security-critical Windows updates are released. You can choose whether or not new patches are automatically downloaded, and whether or not downloaded patches are installed.
Finally, there is a clear link to the Office XP SR2 release from the home page; it’s #1 under the “support” group on the lower-right corner. It is unfair to complain that there’s no big red “DANGER WILL ROBINSON” label applied to it. If Microsoft doesn’t release timely patches, people complain. If they do release timely patches, some segments of the community complain that it’s a vehicle to sneak in new license terms or get up to other mischief.