For years we’ve been reading about how vulnerable so many computer systems, especially ones using Intel and AMD processors, are highly vulnerable to speculative execution attacks such as Spectre, Meltdown, Foreshadow and Fallout. Numerous demonstrations of the feasibility of these attacks have been published, seemingly showing their practicality (even in JavaScript). Microcode updates that partially mitigate them have meant significant performance slowdowns, also suggesting their practicality. Are there many cases where these vulnerabilities have led to actual security breaches of real-world systems?
No, for two reasons. First is that software vulnerabilities are so much more prevalent that in the real world, it would be a wasted effort to attempt to exploit these hardware side-channel vulnerabilities. There's much lower-hanging fruit elsewhere.<p>Second is that for the most vulnerable attack scenarios, they were mitigated long before the public release of Spectre and Meltdown. The big one was cloud computing - attackers being able to exfiltrate data from VMs running on the same host. Microsoft, Amazon and Google had many months in which to roll out updates to their infrastructure that enhanced VM isolation. Similar for browser vendors, for example Chromium introducing Site Isolation. And operating system developers - mitigations for Windows kernel and Linux were being tested for months before public disclosure.
Keep in mind that "breach" here is limited to an <i>information leak</i>. Passwords could be read to achieve a privilege escalation; but a more likely attack would be stealing private keys or other sensitive information. The latter would leave no trace on the target system. So how would you know if your private keys or passwords had been stolen?
Presumably, some malware have been trying to exploit this: <a href="https://www.techrepublic.com/article/spectre-and-meltdown-flaws-being-exploited-by-more-than-100-strains-of-malware/" rel="nofollow">https://www.techrepublic.com/article/spectre-and-meltdown-fl...</a><p>I've never seen them in the wild.