In case of Meltdown, applications that are heavily dependent on user programs and which don’t call the kernel often will see very little impact; games, for example, should see very little change. But, applications that call into the operating system extensively, typically to perform disk or network operations, will see substantial impact. In synthetic benchmarks that do nothing but make kernel calls, the difference can be substantial, dropping from five million kernel calls per second to two-to-three million.
Spectre attacks can be used both to leak information from the kernel to user programs, and also from virtualization hypervisors to guest systems.
The available patches are expected to impact systems by potentially slowing down processing power by anywhere between 5%- 30%. For time critical and data intensive businesses e.g. Financial services and Banking domain, this might mean inability to finish large overnight computation batches before the start of a trading day.
These flaws primarily impact the CPU (as majority of CPUs since late 1990s until early 2018 contains the flawed design), operating systems (as most OSes use privilege levels and virtual memory mappings and these vulnerabilities are designed to abuse all information and processes that are memory mapped), virtual machines and embedded devices.
Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. This is referred to as kernel page-table isolation (KPTI).
Out of these two vulnerabilities, Meltdown is easy to mitigate. Recently, OS vendors including Microsoft, Apple and various Linux distros have released patches to provide protection against Meltdown attacks. Microsoft has also provided PowerShell scripts to validate or determine the status of the patch level.