Dropbox: File synching and sharing made easy

Migrating to Windows 7 has never been so easy

Are you ready to make the jump to Windows 7? If so, this month’s bonus is for you! All Windows Secrets subscribers can download a one-chapter excerpt from Switching to Microsoft Windows 7: The Painless Way to Upgrade from Windows XP or Vista by Elna Tymes and Charles Prael.

Exclusively for Windows Secrets subscribers, Que Publishing is providing — free — Chapter 3, Migrating from XP to Windows 7. It explains Microsoft’s Windows 7 Upgrade Advisor, delves into migrating apps from Windows XP to Win7 using the Windows Easy Transfer Wizard, plus more.

If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear.

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Dropbox: File synching and sharing made easy

By Michael Lasky

There’s no shortage of services offering file sharing, synching, and collaboration through the Internet.

But one service stands out from the rest. Dropbox is one of those simple applications that, once installed, quickly become an indispensable part of your computing process.

Having seen hundreds of PC products come and go over the years, we’re not easily impressed here at Windows Secrets. But every once in a while some product — or service in this case — comes along that we soon find we can’t live without. Dropbox, an online file-backup, -sharing, and -synchronization service, fits that category. We use it in the office for managing our production files, and many of us use it for our personal computing.

File synching evolves with changes in computing

Keeping files synched between PCs has always been a bit of a drag — not as in drag-and-drop, but as in multistep tedium. A few breakthrough apps made the task easier. Remember LapLink? That was a product no laptop user could live without. Remember Microsoft’s Briefcase? (Yes, it’s still around, but how many people actually use it?) Microsoft had a great idea building its synching applet into Windows. But, ultimately, it proved too cumbersome to use.

Now that nearly every PC user has access to the Internet, file sharing has moved into the cloud — and added collaboration and file backup as new services. There is a horde of these sites — several of which I discussed in my June 24 Top Story, “SkyDrive takes on the online-storage arena.” Alas, most involve signing onto a password-protected entry site to accomplish anything.

But not Dropbox — a small application that saves you immense amounts of time and effort. Once set up, Dropbox becomes just another folder on your PC — or your Mac, iPad, smartphone, or other computing device that can display documents. Your files are stored both locally in your Dropbox folder and online on the service’s servers. Dropbox lets you back up, share, and sync any file merely by dragging the file into the Dropbox folder on your desktop. Any changes made to files in Dropbox are automatically updated in all other linked Dropbox folders in other devices, as long as you are connected (or when you reconnect) to the Internet.

One feature I particularly liked: Dropbox let me transfer photos from my iPhone to my PC without the hassle of connecting the phone to the computer.

Dropbox works with all versions of Windows, but interestingly its folder retains the classic Windows XP Explorer look. (And its help screens default to Windows XP instructions.)

The free Dropbox Basic lets you store up to 2GB of data in the cloud. Dropbox Pro50 provides 50GB of storage for U.S. $10 per month or $99 per year, and Pro100 is $20 per month or $199 per year.

Moving beyond simple file transfer and sync

Dropbox’s charm lies in its simplicity. But simple does not mean limited — the service has a broad menu of features that make it an invaluable tool for managing files. For example, connecting to the Dropbox Web site gives you access to your files from any Web-connected computer and any Web browser. And when you edit a file, it’s updated on all of your devices that have a Dropbox folder.

It’s a snap (or should I say, a click) to share files from the Dropbox Web site as well. (See Figure 1.) You simply move files into the preset Public folder. Mouse over a file, and a down-arrow appears to the right of the file name.

Click the arrow and select Copy public link. Dropbox displays a custom link, which you can copy or have Dropbox paste to your Clipboard.

Link too long for you? A Shorten Link option creates one for you that’s similar to the bit.ly links you see in Twitter messages. Paste the link into an e-mail, and recipients gain quick access to that folder or file.

Figure 1. You can use Dropbox’s intuitive, Web-based interface to access, share, and otherwise manage files in your Dropbox folder.

Within the Dropbox Web-site view, highlighting a file or folder and clicking the down-arrow also gives quick access to other file-management tasks. These include recalling previous versions and downloading the file to your local device plus moving, renaming, copying to, and deleting the file or folder.

If you want to share a folder with friends or colleagues, all they need to do is install a small Dropbox app. You use the Share Folder option and enter their e-mail address into a dialog box. Once they’ve received a Dropbox message, that folder — with its contents — appears in their Dropbox folder. Dropbox secures all data with AES256 encryption as it’s moved over the Internet and also encrypts the data on its servers.

There are a couple of important points to remember when using Dropbox sharing. Copies of shared folders are stored in each member’s account. So if you are going to share a large folder (say, 20GB), the person you want to share with must have sufficient storage space in his or her account.

You can get around that limitation by putting all of your files into the Public folder, but then anyone who can find or guess the URL for that folder has access to everything, and that’s extremely insecure.

Dropbox lets you use one account on as many PCs as you like, but you can use only one account at a time on each machine. To switch accounts, you have to sign out of one and into another. I’d like it better if you could have a business Dropbox and a personal Dropbox open at the same time. If you have multiple user accounts on a PC, each account can have its own Dropbox.

Reeling back through your versions history

One of Dropbox’s most useful features is that it automatically saves previous versions of files — and even deleted files. With the free version of Dropbox, previous file versions are saved for 30 days; both the Pro50 and Pro100 will save prior file versions indefinitely, if you add the free Pack-Rat add on.

The Dropbox system tray icon keeps you informed (with small colored symbols) that files are fully synched, currently synching, or unable to sync — either because of a connection problem or because you’ve met your storage allowance. Left- or right-click the tray icon to see how much storage you’ve used or to view recently changed files. (See Figure 2.)

Figure 2. Dropbox’s System Tray app gives quick access to recently changed files.

Another useful Dropbox tool is its Events tab, which gives you a blow-by-blow account of your file activity. It’s handy when you accidentally misplace a file or want to jump quickly to its version history.

What truly separates Dropbox from any other cloud storage, sharing, or synching services is its integration of 90 add-on or supported apps and its ability to let you view files even when you don’t have the application that created them. That’s how I was able to open music, videos, and documents on my iPad, even though the native apps don’t reside on the tablet.

Those add-on apps include Documents to Go, Quickoffice (see Figure 3), GoodReader, XPenseTracker, 1Password, and DocScanner. Some of the add-ons — Quickoffice, for example — for iPad, iPhone, Android, BlackBerry, Web, and even Windows Mobile (oh, my) work independently of Dropbox. But they let you save files to a Dropbox folder — either on the device or to the Web. In both cases, the files are synched to your other Dropbox clients. (For the full list of add-ons, check out the Dropbox App Directory page.)

Figure 3. Dropbox’s App Directory lists over 90 associated apps, such as Quickoffice for the iPhone.

So whether you need to share files and folders between your desktop and notebook PCs or mobile devices, Dropbox has got you covered. Sharing files with collaborators can be quickly and easily accomplished with e-mail links or by equal access to a group folder in Dropbox. And the impressive list of add-on mobile and Web apps makes this service indispensable for both business and personal use.

WS contributing editor Michael Lasky is a freelance writer based in Oakland, California, who has 20 years of computer-magazine experience, most recently as senior editor at PC World.

Help for a hijacked e-mail identity

By Keely Dolan

Having your e-mail address hijacked by spammers is more than irritating; it can damage your reputation and make communicating with friends and business associates painfully difficult.

Sometimes spammers simply steal your e-mail identity and send out thousands of unwanted messages under your name. Even worse, they might install malware on your PC and send their dreck from your own machine without your knowledge.

Lounge member Eric Selje describes this predicament in his thread, “Spammers are using my e-mail address!” Fellow Loungers step in with advice on stopping the spam — and tips on preventing e-mail hijacking in the first place. More»

The following links are this week’s most-interesting Lounge threads, including several new questions that you may be able to provide responses to:

☼ starred posts — particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Keely Dolan is a Windows Secrets Lounge administrator.

Pouring a cup of tea — with exuberance

By Keely Dolan Normally, preparing a morning cup of tea offers little more elaboration than nestling a lemon wedge on the teacup rim. Featuring a Thai street vendor mixing his tea with extraordinary flair, this video might make you rethink your boring brewing routine. Hold the milk and sugar; I’ll have what he’s having! Play the video

What to do when a patch won't install

By Fred Langa Normally, applying software patches to applications such as Microsoft Office goes smoothly — but sometimes, things just go horribly awry! To make matters worse, Microsoft has discontinued its classic Windows Installer CleanUp Utility, which used to be the go-to tool for correcting this kind of trouble.

MS Office chokes on a troublesome patch

Reader Paul Jackson suffered a persistent patch failure:

• “I’m using Win7. I have Office 2007 Pro, which includes all of the Office 2007 apps such as Access, etc. I have both Publisher 2003 and Publisher 2007 on my drives.

  “After installing all the other patches, I get errors with the Publisher 2007 patch. I’ve spent lots of time trying to figure out what to do about it. So far, nothing!

  “Also, after having added all the patches, every Office program asks me to wait while the computer reinstalls and configures it — as if I haven’t been using any of the apps all along!”

Paul, usually this sort of trouble occurs when one patch installation or update goes awry and is left in an unfinished state. Subsequent use of the misinstalled software (or related programs) triggers another attempt to get things set up right. But if the original problem hasn’t been fixed, you end up in an endless loop — the software will try forever to complete its installation, but never get there. It’s very frustrating!

The component that’s usually involved is the Microsoft Software Installer (MSI). Many programs from Microsoft and other vendors use MSI for updates and installation.

Fortunately, there are several ways to resolve MSI problems, and one of them will almost surely get you going again.

First, make a backup of your hard drive, just to be safe.

Next, try the following one-minute, one-line MSI-error fix. It deletes the Registry item that contains the data from a broken or unfinished MSI run.

Open an admin-level Win7 Command Prompt window. (Need help? Go to Microsoft’s Command Prompt FAQ, scroll down the page, and open the item titled “How do I run a command with elevated privileges?”)

Now, type (or copy/paste) the following long line into the command window:

reg delete HKLMSOFTWAREMicrosoftSQMClientWindowsDisabledSessions /va /f

It should look similar to Figure 1. Type everything on a single, continuous line, even if the line wraps itself inside your Command Prompt window.

Figure 1. Typing the indicated command into the Command Prompt window may fix broken MSI installs.

Press the Enter key and close the Command Prompt window. Reboot your PC to make sure you’re getting a fresh start.

When you restart, the unfinished or broken installation Registry data should be gone, allowing you to update and use the affected software normally.

If you’re still having trouble, there are additional options you can try.

Windows gurus and long-time readers might recall Microsoft’s Windows Installer CleanUp Utility (msicuu2.exe). Microsoft withdrew the app after complaints it sometimes caused more problems than it cured. With that in mind, if you want to try it, you can probably still find it on non-Microsoft download sites.

In its place, Microsoft now offers several application-specific instructions and automated Fix it tools for Office-related installation problems. You’ll find them in MS Support 290301.

If those options don’t help, one of these resources should do the trick:

• TheWindows7Site’s article, “Fix that MSI installer bug and get apps running again”
• eHow.com’s article, “How to fix Windows 7 MSI installer”
• Helpware’s free MSI Fix tool (download page)

Run multiple security apps without conflicts

David Rodgers wisely wants his PC to be safe — very safe!

• “I have a question about the May 27 article, ‘Essentials story generates feedback.’

  “I’ve heard that running two antivirus packages at the same time is not recommended. However, we hear that any one AV package may not catch all viruses or malware.

  “I have one AV software always running (AVG). How can I temporarily use a second AV software to perform an additional scan of my system?”

You heard correctly, David. Having two or more security tools trying to do the same job at the same time can lead to trouble. The tools can get into “Me first!” scanning fights as you open and save files. They can even get into loops where they are continually monitoring each other’s scanning activities. This usually leads to extreme PC sluggishness and slowdowns.

But you’re also correct in that no one tool can offer perfect protection.

The solution is to use two different types of tools.

The most familiar type of security tool — such as Microsoft Security Essentials and suites from Symantec, AVG/Grisoft, and McAfee — is meant to be installed and left running all the time. You usually should have only one of this type of security tool on your PC at any given time.

But there’s a separate class of tools called on-demand scanners. They’re not installed like most apps, and you run them only when needed. They’re meant as supplements or backstops to full-time, always-on security tools.

In my case, for example, I use Microsoft Security Essentials for full-time, always-on protection. But from time to time, I’ll use a free, on-demand scanner from sites such as McAfee’s FreeScan or ESET’s Online Scanner to examine my system to make sure that nothing got past my primary protection. (You can find similar tools by Web-searching with the phrase on-demand security scan. Just make sure you use a scanner from a company you know and trust.)

Because on-demand security scans are active only when you specifically launch them, they don’t interfere with the routine operation of always-on tools.

And if two or more tools agree that your PC is clean, you can be reasonably confident that it is, in fact, malware- and virus-free!

The simple solution for unmuting a sound card

Paul Tandy is digging into a new PC:

• “Does anyone know how to unmute the sound card? Needing help because I’ve just got a new Windows 7 computer.”

If your system is set up to use standard Windows audio controls, muting and unmuting the audio is quick and easy:

Right-click on the speaker icon in the notification area (down by the system clock) and select Open Volume Mixer, as shown in Figure 2.

Figure 2. Right-click on the speaker icon to access Windows’ audio controls.

The Volume Mixer applet will appear (see Figure 3). Click to unmute (or mute) the speakers using the indicated checkbox. That’s all it takes!

Figure 3. A single click in the Volume Mixer dialog is all it takes to mute or unmute your speakers!

If your system is set up with third-party (non-Microsoft) audio-control software, you’ll have to find a similar control within that software.

But even there, the process is usually the same: start by right-clicking on the speaker icon in the notification area, and explore the resulting menus for the mute/unmute option.

More on deleting NtUninstall files in XP

Steve Marston writes:

• “Thanks for Fred’s tip [in the Top Story, “Preparing Windows XP for the long haul”] to delete old $NtUninstall{xxx}$ files from XP’s C:Windows folder.

  “I tried to incorporate this into a batch file: Del ‘C:WINDOWS$NtUninstall*$.’ But I get a ‘Could not find …’ message.

  “Why is this batch-file line wrong, and how do I fix it?”

There are a couple of subtle problems with that approach, Steve. First, $NtUninstall{xxx}$ items are, by default, read-only. You’d have to use the attrib command (info page) to make all the files deletable.

Also, the $NtUninstall{xxx}$ items are actually folders containing other files. Del doesn’t work on folders. Normally, you’d use the rmdir (remove directory) command to automate folder removal, but rmdir (info page) doesn’t support the wildcards you’d need to build a simple, universal batch command.

There’s a ready-made solution I’ll show you in a moment, but first let me ask: why do you need to fully automate this?

$NtUninstall{xxx}$ files are really only a disk-space problem when many of them accumulate. There are only 12 regularly scheduled Microsoft Patch Tuesdays (the second Tuesday of each month) in a given year, plus occasional extra, out-of-cycle patch releases. This means that even the most rigorous housekeeping requires that you check for new $NtUninstall{xxx}$ items only once a month or so.

For most users, a few extra uninstall files don’t matter. I think you really need to tidy XP’s Windows folder only a couple of times a year. So to me, it hardly seems worth the effort to automate the process.

But that’s me. If you really want an automated tool, here’s ready-made help: Tech-pro.net offers a free Windows XP Update Remover (info/download) that should keep your Windows folder as clean as you wish!

Fred Langa is a senior editor of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Firefox add-on makes a statement about HTTP

By Robert Vamosi A security researcher’s new tool shows how easy it is to pluck session cookies out of public Wi-Fi networks and gain access to users’ online accounts. That this circa-2007 hack is still a threat is scary. But the real concern for all Web users should be the slow adoption of secure HTTPS.

Using a well-known threat to make a point

On Oct. 24, at the annual ToorCon 12 security conference held in San Diego, Calif., Seattle-based security researcher Eric Butler introduced a free Firefox add-on called Firesheep. This innocent-sounding app lets anyone on a public Wi-Fi network grab — out of thin air — active browser cookies from other nearby Wi-Fi users.

These cookies, created by Web 2.0 sites such as Facebook, Twitter, FourSquare, Google, and The New York Times, contain user account information. As reported in an Oct. 24 TechCrunch story, it’s a trivial task for anyone running Firesheep to hijack another person’s Web session and access the victim’s account as their own. A session cookie is part of the unencrypted traffic; steal that, and you don’t need to know someone’s username and password — you’re already in that person’s account!

This should make you think twice about browsing the Web while sipping that latte at the local café.

Writing on his blog, Butler says that on public networks, “cookies are basically shouted through the air, making these attacks extremely easy.” The solution, he says, is end-to-end Internet encryption known as TSL/SSL. (Encrypted sessions are typically indicated in your browser — in Chrome, it’s a small green padlock icon in the address bar; in Firefox and IE, it’s a small padlock in the bottom status bar. But the best clue is to look for https:// at the beginning of a site’s address.)

Butler did not make this add-on so that Wi-Fi users could share each other’s accounts; his point — and it’s an important one — is that many sites do not yet offer HTTPS sessions as an option. Gmail, for example, offers end-to-end encryption by default — everything you do on Gmail takes advantage of HTTPS protection. Hotmail, on the other hand, uses HTTPS only when you sign on. After that, your entire session proceeds without any form of protection and there’s no way to switch to HTTPS.

Firesheep is serious, but probably short-lived

With that said, on a scale of one to ten, Firesheep is probably a four — a serious-but-low-level hum within the noise of today’s digital threats. I say this because there are relatively easy preventive actions you can take to avoid becoming a victim; they’re described below.

Although Firesheep is available for download (more than 146,000 since Sunday), there is no legitimate reason for the average PC user to install it.

Figure 1. When Firesheep is installed, Firefox pops up this appropriately labeled screen.

Currently, some versions of Firefox 3.6.x will run Firesheep; Mozilla just pushed out Firefox 3.6.11, which does not. (Firesheep is just another good reason to have the latest version of the browser.)

A hack with something old, something new

Butler’s session-hacking threat is not really new — it’s similar to a classic man-in-the-middle attack, where someone at a free, public Wi-Fi location turns his laptop into an access point and attracts nearby laptops (and some smart phones) to the stronger signal. If the Internet traffic is encrypted (HTTPS), the man-in-the-middle attacker moves on, looking for unencrypted (HTTP) traffic.

Where Firesheep differs, and is particularly effective, is in listening to unencrypted traffic and grabbing passing Web 2.0 session cookies. Its roots go back to a 2007 Black Hat conference I wrote about in a CNET story. In a conference talk, Errata Security CEO Robert Graham demonstrated that he could capture an unencrypted session cookie for an open Gmail account running over the conference’s Wi-Fi. Graham then displayed on the conference room’s big screen an audience member’s inbox, with all mail visible.

At that time, Gmail defaulted to HTTP but gave account holders the option of always connecting via HTTPS. Until Graham’s talk, even I had never thought of taking that extra security precaution — and I’ve covered security issues for years. Others, however, such as the Open Web Application Security Project (OWASP) organization, have been warning about session hijacking (info page) for some time.

In January of this year, Google announced in a Gmail blog) that HTTPS would be the default setting for all Gmail users. Google now also encrypts traffic to Google Calendar, Docs, and Sites.

Why not make HTTPS the default for all sites?

The short answer is speed; HTTPS could slow down the user experience on sites. However, after adding additional servers, Google found that running HTTPS as the default didn’t impact the site much. A post stated, “SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection, and less than 2% of network overhead.”

Most large sites, such as Facebook and Twitter, have HTTPS available now — it’s just not loaded by default. Like Graham, Butler is trying to push these and other Web 2.0 sites to make the leap to full encryption.

Try it yourself. Take a favorite site (such as windowssecrets.com) and change the address from http:// to https:// and see if there’s an HTTPS version available. Not all sites need to be secure. Do you care if someone grabs the cookie for your favorite news site?

Better browsers force HTTPS as standard

This isn’t just a site issue; browsers need to pull HTTPS pages by default, too. And some of the newer ones do.

In my Oct. 21 In the Wild, WS Security Baseline update, I mentioned that Chrome and Firefox 4 have the ability to force sites to send HTTPS pages if they exist. Internet Explorer has no such plans that I know of.

My Firefox 4.0 Beta 6 is supposed to have this ability, but when I went to Facebook and Amazon, only HTTP pages loaded. A Mozilla article states that HTTP Strict Transport Security (info page) will be included in the final Firefox 4.0 release.

Fortunately, there’s an add-on called Force-TLS (download site) for Firefox versions 3.1–3.7. (Unfortunately, the add-on does not work with the Firefox 4 betas.) Force-TLS ensures that Firefox loads the secure version of a page — if one exists.

Chrome users are already protected. Google has offered the Force-TSL feature with its Chrome browser since version 2.1 was released in 2009.

Internet Explorer users may not have built-in features that force encrypted pages to load, but you can bookmark the HTTPS version of a familiar site. Be aware, however, that not all sites continue to use HTTPS once you’re past the sign-in page (again, Hotmail).

WS contributing editor Robert Vamosi was senior editor of CNET.com from 1999 to 2008 and winner of the 2005 MAGGIE Award for best regularly featured Web column for consumers. He is the author of the forthcoming book When Gadgets Betray Us (Basic Books, March 2011).

When it comes to patching, .NET is .ANNOYING

By Susan Bradley I had high hopes that .NET 4 would break with previous versions and be easy to patch — but it’s not to be. After working with .NET 4 for a bit, I grieve to report that it, too, is a pain to patch and laborious to remove.

MS10-077 (2160841)
.NET 4 plus Code 2 equals patching pain

It was bad enough that October had the biggest Patch Tuesday ever, but Microsoft capped it off with a .NET 4 update. Against all hope that the .NET patch would go smoothly, many folks had to repair .NET 4 before they could safely install the patch discussed in MS10-077. When they attempted to install the update, they ended up with an error code 2 message.

Based on comments in a Microsoft Answers forum, one solution is to launch the Windows Add or Remove Programs tool and use the Repair option. (Look for Microsoft.Net Framework 4 Client Profile in the list of programs. You might have to select Uninstall/Change first, before the Repair option shows up.)

What’s being patched? It’s the usual suspect: a privately reported vulnerability that is a threat when a browser user clicks on a malicious Web site. It has to be a browser, such as Firefox or IE, capable of running XAML Browser Applications (info page). That’s ironic, because XBAP applications are designed to run in a protected sandbox mode.

The patch is rated critical for x64-based XP, Vista, and Win7 systems and important for selected versions of Windows Server 2008.

► What to do: Go to MS10-077 (KB 2160841) for more information on this patch. If you’re running .NET 4 because you have an application that needs it, be prepared to run the repair to complete the update’s installation.

Removing .NET 4 might require an extra step

If you took the advice I gave in my Oct. 14 Patch Watch column and tried unsuccessfully to uninstall .NET 4, I have to apologize. I did not realize that .NET 4 might not fully uninstall on some systems. Client workstations probably won’t have this problem, but servers might. I removed .NET 4 from one of my servers, and the next time I tried to back it up it tossed up an error message — it couldn’t back up a font-cache file.

Buried down in the .NET Framework 4 Readme file (section 2.1.1.5) is the reason why. The WPF 4 Font Cache Service is not completely removed when you uninstall .NET 4, and it’s left behind in the Services console. So after you uninstall .NET 4, you have to complete one more step on Server 2008 and R2 to remove it.

► What to do: Click Start, select Command Prompt. Right-click and select Run as administrator. Type sc delete WPFFontCache_v0400 and hit Enter. You should then see “[SC] DeleteService SUCCESS.”

Live Essentials appearing on Microsoft Update

If you have your system checking in with Microsoft Update, expect an offering of Windows Live Essentials in the near future, as noted in an Oct. 20 MS Update Product Team blog.

The blog states, “Windows Live Essentials 2011 will be offered as a Recommended Update for users who have any one of the Windows Live software products installed; otherwise, it will be offered as an Optional Update.”

► What to do: I recommend manually downloading this large update (info/download page) so that you can choose just the options you want. For example, I do want Live Messenger, but I’ll turn off other offerings.

Double-check that Acrobat and Reader are current

Keeping Adobe Acrobat and Reader up-to-date is an essential task for holding off malware. By now, Adobe should have offered an update for these two applications. For both, you should be on either version 8.2.5 or 9.4 for Windows and Mac systems. We expected this update on Oct. 12, but it was pushed up to Oct. 5.

► What to do: Check the version of Acrobat and/or Reader you’re using and go to the Adobe New Downloads page if you did not get the update.

Your Adobe Flash may not be the latest release

As long as we’re on Adobe products, check your version of Flash, too. In my patch review of my PCs, I noticed that some had out-of-date copies of Flash. The reason: Flash normally checks to see whether it’s up-to-date only when you reboot — if you don’t reboot often, you might not get updates as quickly and as often as you think.

Although Firefox will check to see whether you have the latest Flash Player, Internet Explorer does not.

► What to do: Go to the Flash Player download page if you can’t remember the last time your version was updated. Be sure to uncheck the third-party toolbar offerings, however, if they don’t interest you.

Firefox patches a dozen vulnerabilities

Firefox’s big fix is version 3.6.11, which addresses, among other things, DLL hijacking. (Mozilla Foundation Security Advisory 1010-71 discusses this vulnerability in detail.) The update also fixes several threats where merely browsing to a Web site could allow a hacker to take control of your system.

Take note: this patch does not protect you from the zero-day Firefox attack discussed in Mozilla’s Oct. 26 security blog. Given Mozilla’s track record, I expect another patch out shortly — so be on the lookout.

► What to do: If you’re not on version 3.6.11, get yourself to the Firefox download page as soon as you can.

Patch leads the way for Windows 7 SP1 RC?

Update KB 976902 showed up on my Windows 7 and Server 2008 R2 boxes with the cryptic message that it’s needed for future updates — and is not uninstallable. But as of this writing, Microsoft has not posted a public Microsoft Support article explaining exactly what this patch does.

I think it’s a precursor to the Windows 7 Service Pack 1 package — a release candidate Microsoft just offered on a Download Center page. You’ll get this type of patch to ensure that new service packs deploy successfully.

► What to do: Until I can understand this update better, just pass on it. I’ll inform you when it’s okay to install.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.