Intel has spoken, and for Spectre variant 1 they have said we need to fix it in software (they recommend inserting fences "in appropriate places"). https://newsroom.intel.com/wp-content/uploads/sites/11/2018/...
Intel's paper outlines a roadmap for future work.
Timing the L1 cache response for speculatively fetched data that one could not normally access is just one of the problems. It's the one that it is easiest to explain, and it's also the one that the few operating system writers who were told about this tackled first. Hence it is the one that is getting the focus in many discussions.
One of the other problems is tricking the branch predictor into speculatively jumping into code of one's choosing.
The microcode updates that people have been mentioning are not updates to your motherboard's firmware, EFI or otherwise. They are updates to the code that runs inside your central processor chip, the so-called microcode, that does the work of understanding and enacting processor instructions (in all programs, from the programs in your firmware to the programs that you download and run from the WWW).
Firmware updates are largely irrelevant to this issue, only being involved in the sense that one way to perform microcode updates is for your machine's firmware to upload the new microcode image file. But that is just one way for that to be done; your operating system can do it, too.
Microcode updates in the offing:
Future microcode updates mentioned:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/... - processors older than 5 years don't need a microcode update, and probably won't even benefit. The new instructions for preventing variant 2 is inferior to retpolines, even according to Intel...
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/... - basically, you need software updates for variant 1 and 3, and both software and microcode update for 2 for certain CPUs. Bullshit doesn't even begin to describe that sentence...
Intel says Broadwell or newer: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/... (page 5)