Every Cloud Has a Silicon Lining

A lego electrician inspecting some chipsYou may have read recently about some security flaws, named Meltdown and Spectre, present in the design of the silicon chips in many servers, office computers, laptops, tablets and mobile devices.

Every week, hundreds of security vulnerabilities in various pieces of software are revealed, completely unnoticed by the majority of computer users. Regularly installing the latest updates is a good way to deal with the vulnerabilities and most people don’t really need to know which problems were there, or how they were fixed.

The CPU vulnerabilities revealed this month are unusual because the flaws are in the chips themselves, not in the software. The software updates, for the most part, don’t fix the actual flaw, but make it hard to exploit. In the case of the flaw called Meltdown, the fixes may make it impossible to exploit. In the case of Spectre, they just make it very difficult.

There are different types of cloud computing. We use a type of cloud computing called Software as a Service (SaaS). We decided, long ago, to buy our own physical servers and never to allow them to run code that isn’t trusted. As a result, our systems are not susceptible to attacks using the Meltdown and Spectre vulnerabilities.

Some other cloud systems use a type of cloud computing called Platform as a Service (PaaS), which involves lots of different organisations running their code on the same machine. This arrangement makes it possible (but not easy) for one of these organisations to exploit the Meltdown and Spectre vulnerabilities and extract information from the other organisations, or from the cloud provider itself. As you’d expect, the main PaaS providers have been quick to update their systems with fixes to make these vulnerabilities harder to exploit. In some cases, this has led to planned downtime, reduced performance and other inconveniences.

Cloud systems are not the only type of system that runs code that isn’t trustworthy. For example, the web browser on your computer or smartphone downloads code from the websites you visit, usually in the form of JavaScript, and then runs it on your device. For this reason, it is important to install the latest updates on any device you use for browsing the web. These should be installed in the usual way, but a little extra diligence is required for computers running Microsoft Windows. The recent Windows updates won’t appear unless you are using a compatible anti-virus package. If you haven’t been offered a 2018 Windows update named something like “2018-01 Monthly Rollup”, then your computer may still be vulnerable, even though Windows tells you that no updates are available. The solution lies in ensuring your anti-virus software is compatible and updated first, and then updating Windows.

Steven Tucker

By Steven Tucker - Co-founder

Steven is one of the founders of The Payroll Site. He writes about things affecting small businesses, especially those things connected with payroll. He's also a Maths graduate and a Chartered IT Professional and has a few views about technology, maths and the misuse of both.