These are local attacks: Both Meltdown and Spectre are local attacks that require executing malicious code on a target machine. This means that these attacks are not (directly) drive-by style remote code execution attacks – think Nimda or Code Red – and that systems cannot be attacked merely by being connected to a network. Conceptually, these are closer to privilege escalation attacks, a class of attacks that help you get deeper into a system you already have access to.
However, it is possible to launch the exploit through a web browser too - which I was unaware of
I’d only seen attacks done on machines that a user already had access to, and physical access at that - but apparently it’s technically possible to exploit spectre through a browser now too. Although they can only read from memory, they can’t execute any code
These are read-only (information disclosure) attacks: Along with not directly being remotely exploitable, even if Meltdown and Spectre attacks are executed on a local system, the nature of the exploit is that these are read-only attacks. That is, they can only read information from a system. They cannot directly force code execution in the OS kernel, in other virtual machines, or other programs. These sort of information disclosure attacks can still be devastating depending on what information is leaked – and there is always the risk of using that information to then chain it into a code execution attack – which is why they’re still concerning. But the real risk is in hostile parties using these attacks to steal information, not to control a system.
The real risk is to shared systems, although it is still a risk nonetheless