@ the coolenessrune and urfe, sometimes the cure is worse than the disease. The patches and UEFI updates that Microsoft and Intel released have wrought quite a bit of havoc for many people and businesses in terms of stability and performance.
Also, Meltdown and Spectre require local access to be exploited. If it's already gotten to that point, I am screwed anyway because the hacker or malware can do anything they want to my machine. They wouldn't need something as subtle as Spectre or Meltdown which only allows read access to memory or cache, they could take anything they want without it.
And that's my point. For end consumers, Meltdown and Spectre aren't much of a concern provided the software mitigations are in place, especially for the browsers, because that's where a threat is likely to originate from. And most of us here are computer savvy enough to know not to click on or download something that might potentially be dangerous.
I'm very much aware of the havoc that's been brought in the industry from these patches. That's on Intel. That's an entirely separate discussion from how bad the current situation is, and the belief that somehow consumers don't have to worry about this.
Meltdown and Spectre require local access, but that means
nothing in regards to the vector used to get that local access. It's also, again an
entirely different discussion from what a hacker can "do to your machine."
The only thing that separates a normal program that we
use everyday from a virus, worm, exploit, etc. etc. is the intention of the program. A hacker can craft a package for a myriad of purposes. A hacker getting something on your machine has
absolutely zero correlation with a hacker getting unfettered access to your machine. In fact, the
vast majority of malicious packages out there do no such thing. They stay under the radar getting access to
just a couple of things needed to suit whatever their end goal is. The Slammer Worm from the early 2000's for instance did not give a hacker the ability to "do anything they wanted". It merely exploited a vulnerability in Microsoft SQL to overload networks with traffic. Subsequent buffer overflows could be used in vulnerable systems (and systems made vulnerable by being a recipient of the junk traffic) could then have then have leaked confidential data that could be harvested.
This exploit is the exact same way, specifically in regards to Spectre. Just because browsers are now safe
r, does not mean there are not other vectors that can be used to exploit a Spectre vulnerability. A spectre exploit need not be a one-stop-shot package that infects, exploits, harvests, and sends data, and it need not be kicked off by someone holding onto your system. A worm could deliver a spectre exploit that simply leverages another known (or unknown) program long out of support to do its spectre mitigation. For all we know, some version of WinDirStat could be used as a vector if it has such a vulnerability. That's the nasty thing about Spectre, and why this needs to be at least partially handled at the CPU level. I just can't agree that this is some issue consumers don't need to worry about. They need to worry about it like they do any new vulnerability.