[Mister_Snuggles]

I read somewhere that people have developed POCs of these using JavaScript. At minimum, you'll want to keep your browser up to date as there are mitigations happening there too. Who knew that exposing high precision timers to untrusted JavaScript would be a bad idea?

Apart from browsers, it's fortunately pretty easy to avoid running code you don't trust on your devices.

[jerf]

What I've seen that the POCs can actually do is not worth running around with your hair on fire, from what I've seen.

Note I did not say there is no reason to be concerned about Meltdown and Spectre... just that for most users, uses, and systems, it's not that important. In the next three-to-six months, if you care about security at all, unless you are already running a tip-top tight operation, your money and effort is better spent defending against the many already-realistic threats, rather than worrying about the vector that may someday be converted into a realistic threat. Meltdown isn't what is going to drag your business to a halt next week; it's that ransomware that one of your less-savvy employees opened while mapped to the unbacked-up world-writable corporate share that has all the spreadsheets your business runs on. At the moment, the net risk of applying the Meltdown fix comfortably exceeds by several orders of magnitude the risk that Meltdown itself poses.

And my point is precisely that for most users and uses, that panic was not justified. Those for whom that is not true (VM hosting companies) already know they need to be more aggressive. There was no point in pushing out patches that nearly bricked some computers.

[Mister_Snuggles]

I agree with your points. In fact, I made the same argument about removing a Heartbleed/Spectre-related patch that caused issues for one of our applications - "the machine doesn't execute any untrusted code, so this patch isn't strictly necessary."