Yep, VM issues among the many terrifying realities of this, and I've seen a VirtualBox proof of concept somewhere that I'll edit in later. The one that topped that for me was Firefox and IE6, err Chrome being vulnerable and leaking passwords via Javascript due to one of the flaws. Definitely upgrade your browser if you haven't yet.

On the plus side for the cloud, those folks know how to patch quickly and with minimal disruption. Was watching AWS alerts go out around 9PM PST on the 3rd announcing emergency updates with 2 hours notice. I didn't watch Azure as closely or other clouds, but saw hints of similar actions. I also forgot to set up a timelapse of Amazon HQ to catch how many more office lights were on after hours compared to average.

Meanwhile, folks still hosting their own stuff, especially on old Windows systems, have to wait for AV vendors to set a special registry key, to ensure the patch won't blue screen loop the boxes. Win 10 and Win 2016 users with only Microsoft Security Essentials were the only ones who could safely deploy when Microsoft also published their patches under emergency conditions. Microsoft's legacy continues to hold then back unfortunately.

Apple is still sorting out their status, with anyone on macOS 10.13.2 or iOS 11.2 being okay, and patched secretly in December. It's still unclear if an up to date 10.12 or 10.11 Mac is vulnerable under these 3 flaws. It's also unclear when Safari will be fully validated and fixed if vulnerable in the same way other browsers were.

Linux, well, not going to discuss that trampoline mess currently. Not a surprise their work was what set off the emergency scramble in the industry, and currently keeping me busy at work.

BSDs and other OSes, I've not dug into beyond seeing statements FreeBSD was aware and on the 3rd was still respecting the NDA some other folks disregarded.

What continues to intrigue me from a CPU architecture standpoint is why some ARM variants were also hit with Meltdown specifically, both a Cortex core, and some of Apple's cores. AMD dodged that one likely due to their past of acquiring DEC Alpha engineers who designed their memory pieces, though embarrassingly AMD also had a disclosed flaw in their TPM setup, oops. The good news is, Itanium seems to remain unaffected by all three of these when running in pure IA64 modes. It's a shame the industry told Intel they weren't willing to switch to a better architecture to break the 4GB RAM barrier.

Oh, this is on my reading list for the weekend, skimming it revealed some more good explanations of the flaws: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/