@upnorth On Windows 7 x64 systems, if you have the Meltdown patch, you're vulnerable to Total Meltdown which is even worse.
Total Meltdown allows kernel page table modification (write access), whereas the original Meltdown only allowed read access to kernel memory... Well, now there's some write access!
Spectre is harder to exploit than Meltdown and while it was/is still an issue which should be taken on-board, the media was scaring people.
The requirement of Spectre which you should be aware of is that it requires arbitrary code execution within the address space of the target process. With Meltdown, you could... read kernel-memory from your own launcher (for example). With Spectre, you'd need to perform Remote Code Execution to gain arbitrary code execution within the target (unless of course you were performing exploitation from JavaScript being deployed on a website the user navigates to for a browser exploitation attempt). Bear in mind that Spectre is for reading memory you shouldn't have had access to for a specific process being exploited, whereas Meltdown was for kernel memory read access (which shouldn't have been allowed).
1. Anti-Virus/Internet Security products which have self-defense capabilities should be protected against Spectre by default, as long as self-defense is enabled. Without an additional exploit to bypass the self-defense of the security solution, you won't be able to perform the RCE.
2. Google Chrome has a 'Site Isolation' feature which will reduce damage in the event of web-based Spectre exploitation (for example). I am sure that Microsoft and Firefox have their own alike techniques. Regarding the 'Site Isolation' feature, the reason it minimizes damage is because while it does not PREVENT the exploitation of Spectre, the data which can be accessed by the attacker post-exploitation will be reduced... As I mentioned before, you can only affect a target in which you have code execution under, and therefore since the 'Site Isolation' feature will cause a new process per tab document, it means the attacker will only have access to the memory of the process responsible for the document which loaded the malicious JavaScript... and thus the memory of the other browser processes won't be affected during the attack.
3. Security solutions like AppGuard which have a memory protection feature can be utilized.
Microsoft have already deployed some good defenses for Spectre. For starters, they made an update to Visual Studio so developers can enable a new setting and allow Visual Studio to insert the LFENCE instruction (from the x86 architecture) where required. The LFENCE instruction basically says, "Slow down speculative execution, you shall not pass until I say so".
Use the security features of your web-browser and if you happen to be affected by Spectre on another target (e.g. locally and not the web-browser), it means your environment had already become compromised and thus Spectre or no Spectre, it's game over and you failed.
You could argue that it is not the problem of anyone except the person left vulnerable for using an old version of Windows. New versions of Windows are made for a reason, and whether an old version of Windows is still "supported" or not, they won't be identical in terms of internal security.