Hard drive torture tests reveal alarming failure rates for Seagate drives

Ars Technica recently reported on hard drive performance data collected by cloud backup service provider Backblaze.

Backblaze uses regular consumer-grade hard drives due to their low cost and adequate reliability. Since their hard drives are running and active constantly, Backblaze carefully monitors drive reliability. As a public service, the results are published yearly.

In this year’s performance results, the reliability winner is once again HGST. Now part of Western Digital, HGST was formerly Hitachi, and before that IBM’s hard drive division.

What really stands out in this year’s report is the failure rates of Seagate drives, which were as high as 43% for some models.

In the shifting world of hard drive reliability, it’s difficult to make realistic recommendations. But if you’re building a system that you plan to leave running 24/7, you might want to consider avoiding Seagate drives, at least for the next few months. Seagate will probably react to these numbers and improve reliability for their consumer grade drives.

Chrome 40.0.2214.94 released

Another new version of Google’s web browser was announced on Friday. The release notes for version 40.0.2214.94 don’t provide any useful information on what’s different. There is only a link to the version control log entries for version 40.0.2214.94. And unfortunately, that log is both difficult to interpret (especially for non-technical folks) and extremely light on details. It looks like the new version fixes two minor issues, neither related to security.

Firefox 35.0.1 fixes several bugs

A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.

There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.

Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.

The ‘complete list of changes‘ link to Bugzilla is still not much help.

Adobe releases another Flash zero-day fix

Adobe has updated the bulletin related to the CVE-2015-311 vulnerability in Flash. Apparently a new version of Flash (16.0.0.296) has been released to address the bug.

Initially, the new version was not available from the main Flash download page, although computers with Flash’s automatic update feature enabled did download and install it. As of January 27, the new version is available on the Flash download page.

Anyone using a web browser with Flash enabled should install the new version as soon as possible.

Ars Technica has additional details.

Update 2015Jan28: Adobe has issued another security bulletin for this update.

Update 2015Jan30: Flash 16.0.0.296 also addresses the vulnerability CVE-2015-312.

SANS upgrades Infocon threat rating to yellow

SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:

“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”

The Infocon rating is displayed in the left sidebar of this web site.

Google vs. Microsoft disclosure debate continues

You may recall Microsoft’s recent statements of displeasure at Google’s disclosure of unpatched security vulnerabilities in Windows 8.1.

This argument shows no signs of abating, because Google has disclosed more unpatched vulnerabilities in Windows.

Microsoft needs to understand that it’s on the wrong side of this battle. Vulnerabilities must be patched quickly, and absent any incentive, big companies like Microsoft, Oracle and Adobe will take increasingly long periods of time to produce patches. Ninety days is plenty of time.

VLC has two unpatched vulnerabilities

VLC is one of the most popular media players; it’s cross-platform, and has a reputation for being able to play almost any kind of media. Given its popularity, unpatched vulnerabilities in VLC are likely to make attractive targets to malicious hackers.

Two vulnerabilities in VLC, CVE-2014-9597 and CVE-2014-9598, have yet to be acknowledged by VLC’s developers. Both are memory corruption bugs that can allow attackers to execute arbitrary commands on target systems.

Note that these vulnerabilities only affect VLC running on Windows XP, and only FLV and M2V files.

If you use VLC, you should exercise extreme caution when playing media from sources not known to be safe.

Adobe issues special update for Flash, while another 0-day rears its head

On Thursday, Adobe announced an update that addresses a recently-discovered vulnerability in Flash. According to Adobe, the vulnerability addressed by Flash 16.0.0.287 is CVE-2015-0310.

Anyone using a web browser with Flash enabled should install the new Flash as soon as possible.

Apparently there is at least one additional vulnerability in Flash that affects even the most current version (16.0.0.287) and is currently being exploited in the wild. This zero-day vulnerability is identified as CVE-2015-0311. According to Adobe, they are working on a patch, which should be available in the next few days.

SANS has a useful summary of the recent updates and vulnerabilities related to Flash.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.