Ryu Connor wrote:I'd note that Edge and IE11 also contain Spectre specific JS mitigations.
No doubt; they've got some pretty huge incentives to fix this. I live in the Linux world (with a bit of OS X) at the day job these days, and run Linux on my personal desktop/laptop. So I'm not as up-to-date on stuff that isn't cross-platform.
Ryu Connor wrote:The Spectre and Meltdown kernel vulnerabilities do not change the risk profile for end users. In fact I'd even go so far as to argue disabling the protections and regaining performance doesn't increase risk for this audience. You're in the same positions before the revelation of these flaws as you are today.
Yeah, I've pretty much been saying this since shortly after this dumpster fire ignited. The kernel-level stuff is mainly a concern for shared hosting and VPS service providers. You need to be able to execute your own code on the system to exploit, and since it's a data leakage issue, you need to be running on the same physical hardware as the sensitive data you're trying to exfiltrate.
Sandboxed JS in a web browser is a special case (since you're explicitly running untrusted code that the browser is supposed to protect you from), and is THE case that is of most concern to end users.
Ryu Connor wrote:Generally speaking that is:
1. Patch remote code execution flaws
2. Be careful what you download and run.
If you fail to do either of those steps, the bad guys will be able to do terrible things. Those terrible things don't need the Spectre and Meltdown flaws to succeed.
Yup. As a desktop or mobile user, once you've mitigated the JS vulnerability, the rest of Meltdown/Spectre requires a pre-existing compromise of the system (whether technical or socially engineered) to be a significant risk.