You may have read recently about some security flaws, named Meltdown and Spectre, present in the design of the silicon chips in many servers, office computers, laptops, tablets and mobile devices.
Every week, hundreds of security vulnerabilities in various pieces of software are revealed, completely unnoticed by the majority of computer users. Regularly installing the latest updates is a good way to deal with the vulnerabilities and most people don’t really need to know which problems were there, or how they were fixed.
The CPU vulnerabilities revealed this month are unusual because the flaws are in the chips themselves, not in the software. The software updates, for the most part, don’t fix the actual flaw, but make it hard to exploit. In the case of the flaw called Meltdown, the fixes may make it impossible to exploit. In the case of Spectre, they just make it very difficult.
There are different types of cloud computing. We use a type of cloud computing called Software as a Service (SaaS). We decided, long ago, to buy our own physical servers and never to allow them to run code that isn’t trusted. As a result, our systems are not susceptible to attacks using the Meltdown and Spectre vulnerabilities.
Some other cloud systems use a type of cloud computing called Platform as a Service (PaaS), which involves lots of different organisations running their code on the same machine. This arrangement makes it possible (but not easy) for one of these organisations to exploit the Meltdown and Spectre vulnerabilities and extract information from the other organisations, or from the cloud provider itself. As you’d expect, the main PaaS providers have been quick to update their systems with fixes to make these vulnerabilities harder to exploit. In some cases, this has led to planned downtime, reduced performance and other inconveniences.