Meltdown and Spectre exploit vulnerabilities in processors

Meltdown and Spectre are attacks that exploit speculative execution, the way processors predict commands. Meltdown and Spectre exploit the way speculatively executed instructions can bypass process memory protection. These vulnerabilities are particularly harmful to multi-user server environments, giving malicious users access to users’ confidential information.

For all the latest updates, please see the Finnish-language website.

Workstations and end-user applications

Vulnerabilities in workstations and in applications for ordinary users often concern a considerable amount of users. Target can be, for example, the Windows operating system or a word processor. The difference between server applications and end-user applications is sometimes indeterminate, for example the same operating system can be used both in the server and the workstation.

Servers and server applications

Vulnerabilities in servers and server software concern providers of electronic services, among others. Typical targets are operating systems of servers, as well as web or e-mail server software, such as SunOS, Linux, Apache, IIS or Sendmail.

Remote

A remotely performed attack can be implemented via an information network connection or similar without accessing the targeted system.

Locally

A locally performed attack can be implemented only by accessing the device under attack and using it locally. A local attack is not possible via a network connection.

Security bypass

Security bypass means that by exploiting a vulnerability, the protection intended for restricting the use of the system is bypassed, for example, by directing traffic pass the firewall to a protected network.

Obtaining of confidential information

Obtaining confidential information from the target system requires that the information content of the system, e.g. files saved on the hard disk, is accessible without a permission and can be forwarded.

Software update patch

Normally, hardware or software manufacturers publish a new version or a partial update for a software or operating system soon after the vulnerability has become public. The update can be available at the same time as the vulnerability is published, but often the users have to wait for the update.

Restriction of the problem

Although an actual vulnerability patch is not always available, the vulnerability's effects can usually be limited, for example, by temporarily refraining from the use of a certain feature or by restricting the network traffic to the target system in a suitable manner.

No update

After the vulnerability has become public, a patch for it is not necessarily available right away. Target systems are exposed to the impact of vulnerabilities if measures are not taken to protect them.