I\u2019ve been surprised by the lack of interest, by both the general public and some IT admins, in the Meltdown and Spectre vulnerabilities, which are arguably the most significant computer vulnerabilities we have ever dealt with. To be fair, this isn\u2019t the end of the world. Computers aren\u2019t falling over left and right yet.The big pain hasn\u2019t happened, and that\u2019s part of the problem. These are HUGE exploits with HUGE risk, but because they aren\u2019t being widely exploited yet, they just aren\u2019t getting the attention that they deserve. I expect hundreds of millions of devices to remain vulnerable for the foreseeable future.Note: I\u2019m writing about Meltdown and Spectre as if they are similar exploits with similar impacts, even though they are not. It just makes writing a short article such as this one easier. Be aware that not all statements below apply to both flaws in equal measures.A few readers have sent me questions and rebuttals to my concern. Here are a few aggregated examples along with my responses:It\u2019s not that big of a deal, you\u2019re overreactingMeltdown and Spectre affect nearly every modern-day operating system (e.g., Microsoft Windows, Apple OS X, iOS, Linux, and BSD) and the most popular CPU chips (e.g., Intel, ARM, AMD). They impact servers, workstations, laptops, tablets, mobile devices, network equipment, cloud services, graphics cards, and some internet of things (IoT) devices. Did I leave something out?You might think you are safe in some instances, such as gaming consoles. Some of the most popular gaming consoles are not affected. Whew! Except for the fact that nearly every modern-day gaming console connects to the cloud, and those cloud services are likely affected. I have heard that smart watches and newer versions of some smart phones, WiFi routers, and many home automation devices aren\u2019t affected. Well, we have to take our little victories where we can.Just patch your stuff and it\u2019s fixedThe Meltdown and Spectre issues are so complex that a device fix often involves patches to chip, firmware, OS, and applications to make your device unexploitable. Some solutions require additional configuration setting changes.You\u2019ve somehow got to figure out what needs to be patched, how extensive the patching is, how to deploy all the needed patches, and how to make sure everything has been applied as required. It\u2019s a patching nightmare. Some percentage of devices and software can't be patched and must be replaced. It\u2019s bad when your admins are thinking that they would rather replace every impacted device than be responsible for ensuring all devices are adequately patched.The worse problem is how many devices will never be patched. With a normal software patch, the overall patching status looks like this: 50 percent of people will apply the patch in an acceptable period of time, 25 percent will apply the patch very late, and 25 percent will never patch the device. The complexity of these exploits means the latter percentage of people who never patch will likely be higher.Why don\u2019t some people patch? In some cases, they aren\u2019t allowed to patch\u2014for example, admins for environments like critical medical devices or critical energy control equipment aren\u2019t allowed to patch, or at least in the same year. More often than not, admins have software and devices that they don\u2019t know they need to patch.The impacted computer is a cash register, a hidden piece of network equipment, or a server tucked in the back. There may be a message on that device\u2019s screen that is screaming to be patched, but they never do it. How many friends do you have that cognitively ignore all the patch warnings for years? That\u2019s many of my friends.It\u2019s not that serious of an exploit; it\u2019s really only eavesdroppingThat eavesdropping is on the most critical secrets involving the security of the devices or OS. On impacted devices, malicious attackers can bypass every current anti-malware and protection feature implemented on those unresolved devices without setting off a warning or leaving a trace in a log file.Meltdown and Spectre were seen by the (multiple) discoverers and impacted vendors as so serious that they did not release information until a coordinated fix and response could be accomplished. There were literally thousands of people spread over many dozens of vendors, and they all kept this exploit quiet for months until someone leaked it a few days early. Let me know if you\u2019ve ever found another \u201ceavesdropping\u201d exploit where the coordination across the industry was not only required, but actually maintained for months?The exploits aren\u2019t being widely used and won\u2019t be easy to weaponizeSimply not true. Right now, the example exploits just seem to pull those critical secrets out of the processor memory, but future exploits will likely evolve to a point that attackers can execute a particular program to get a particular secret.These aren\u2019t remote exploits, so the fears are overblownToday, 99 percent of exploits aren\u2019t true remote exploits, but it hasn\u2019t stopped attackers from being even more successful. An attacker can execute a true remote exploit by performing all needed actions on their end. An example is an exploitable listening service. The attacker connects to the service, transmits the needed exploit against the vulnerable service, and voila!, the service is exploited. Remote exploits can spread very far very fast because they don\u2019t require local \u00a0end-user interaction. They used to be the majority of exploits, but that hasn\u2019t been true for over two decades.Today, most exploits require local end-user interaction to be successful. It\u2019s not nearly as hard as anyone assumed decades ago to trick users into clicking on a link, opening an email, or double-clicking on a file. If it was, we would have defeated malicious internet exploits a long time ago. These days I mostly ignore the local-only versus remote-only distinction given for an exploit trait. If it\u2019s a local-only exploit or requires end-user interaction, the exploiter can still be successful.This might be just the tip of the icebergWhat scares me the most isn\u2019t the laisse faire attitude toward Meltdown and Spectre; it\u2019s that it sets a precedence for what is likely to become a growing problem. Hardware exploits are becoming more popular and interesting to more people. Indeed, it appears that several different groups of unrelated people had individually discovered the aforementioned exploits during the same few months, all while exploring the field of chip exploits more intently.We can absolutely expect more chip exploits along the lines of Meltdown and Spectre. The question is will we, as a society in general, care enough to adequately respond to all instances, or will exploit fatigue set in?If you\u2019re feeling a little superior right now, make sure your company is doing all it can to patch everything required. Ask yourself, does your company have a written policy requiring that all chip and firmware patches get applied in a timely manner? Does your company, regardless of the written policy, actually have a list of chip and firmware versions, actively check them for patches, and apply those patches? Or are you just responding to the Meltdown and Spectre issues?Nearly every chip and firmware patch fixes one or more critical security vulnerabilities. They always have. We\u2019ve been lucky that attackers haven\u2019t focused more on them. The thousands of yearly software vulnerabilities have been successful enough that they haven\u2019t had to focus on hardware issues. That seems to be changing.