Dear FutureLab customer, this news is important, so please take time to read it
First of all, Happy New Year. We value your time, especially at this time of the year, and we understand that a lot of the news here will be very technical, which is why you’ll find a handy summary at the end of the newsletter.
A big bug has been discovered in every single computer
For the last couple of months, two separate teams have been investigating a potential security issue affecting every single computer, phone, tablet – every device that has a processor. They have discovered that with some technical tricks a hacker can access the information from any program that is currently processed on the machine. This means passwords, secure information, essentially anything. Most processors are affected.
FutureLab were notified by our hosting supplier Amazon Web Services (AWS) in November, with AWS scheduling a software update for the 5th January. The reason that bugs are not publicly announced is to give software companies like AWS, Microsoft, Apple etc time to work on a fix before hackers have a chance to find out and exploit the bug. We have been patiently preparing for the update to arrive; however, news of the bug was leaked to the public domain on the 3rd of January, which meant we needed to work more urgently to get a fix in place.
The team at Google that discovered the bug also prepared a website explaining both vulnerabilities.
View the website with the bug details.
What has happened since last night? Amazon has been updating underlying software for a while now and most of the servers are secure and up to date (more information).
We’ve been working hard to update all servers to the latest software, however, the distribution that we’re using has not yet released a security patch (more information).
There are two bugs, ‘Meltdown’ and ‘Spectre’. The updates we are referring to relate to the Meltdown bug. As far as we understand it, there is not yet a solution for Spectre as it is a much more complex issue to resolve. It has been estimated that the fix for the Spectre bug is going to slow down every machine by about 5%, but in some cases even up to 60%.
What does the above mean for you? Our architecture is quite complex and looks like the below
This means your website is using a lot of servers for processing. Most importantly, each of those servers are in the cloud, which means that you won’t get the same server processing your website each time – it’s an ‘on demand’ service. Since AWS have already updated their underlying software, that means that all FutureLab customers are secure from any other processings on AWS. However, because there’s no solution for Ubuntu (the Operating System we’re using on our servers) as yet, there’s still a small internal risk for FutureLab customers. We’re monitoring updates and as soon as they are ready we will get to work patching the machines.
Lastly, since last night FutureLab and AWS have both performed a lot of work to ensure that the software is updated to the most recent and most secure version. We needed to make a lot of restarts and updates on our hosting machines. Our updates were completed around 11am this morning. What this means is that your website may have been offline anytime between 11pm last night to 11am this morning.
If there are any issues with your website, please let us know.
Summary
- Meltdown and Spectre are the biggest bugs we’ve seen so far and they affect every computer, laptop and phone. There is already a solution for Meltdown which FutureLab has put into place; however we’re still waiting for a patch for Spectre. There’s no reported malware for the bugs, however, we’ve already seen proof of concept for the attack
- Our hosting company AWS has updated all underlying software so all FutureLab customers are safe on the AWS level.
- If your website is not hosted with FutureLab please contact your hosting provider ASAP to check if they have secured your hosting
- Apple has already released an update for Mac machines so please update your software on your computer/laptop as soon as possible. Microsoft has promised to release their patch next week so make sure you have your automatic updates on your Windows machine turned on
- We’re monitoring the updates. You’ll hear more from us (and from the news) in the near future.