Rather than trying to fix that which increasingly seems to be unfixable at the microcode level, perhaps a different tact is needed.
To counter the former (attack via web browser), Intel's patch could be enabled while the web browser was operating (as that generally will be less performance critical imho). Perhaps eventually the browser could examine a trusted certificate before letting a web page load.
It would be trivial to granulate these further and offer a combination of the two as they are needed. In a sense, you are "locking down" which programs are allowed to run in user space. I certainly agree that these options are quite ugly, but they are options nonetheless. But as I see it, that's where we are at.
Who knows though - this might could be seen as an opportunity. If Linux is the only operating system that can offer a solution such as this, maybe its desktop market share might grow rapidly. Maybe at one point it might could bring about "The Year of the Linux Desktop".