BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
PHOTO: Thomas Trutschel/Photothek/Photothek via Getty Images
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Now playing
01:36
5 of the biggest data breaches
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP)        (Photo credit should read NOAH BERGER/AFP/Getty Images)
PHOTO: NOAH BERGER/AFP/Getty Images
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP) (Photo credit should read NOAH BERGER/AFP/Getty Images)
Now playing
02:03
Apple may have most to lose with China tariffs
PHOTO: CNN
Now playing
03:09
First impressions of iPhone XS and XS Max
PHOTO: Photo Illustration: Shutterstock/CNNMoney
Now playing
01:25
Amazon is worth $1 trillion
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
PHOTO: JAXA
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
Now playing
01:49
See the images rover took on asteroid
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016.
The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS        (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
PHOTO: ADRIAN DENNIS/AFP/AFP/Getty Images
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016. The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
Now playing
01:59
World's largest aircraft prepares to take off
PHOTO: Gravity
Now playing
02:23
The man behind the world's first jet suit
PHOTO: Disney
Now playing
01:18
Disney's high-flying acrobatic robots will floor you
PHOTO: Courtesy MIT researchers
Now playing
01:10
'Blind' robot can climb stairs, leap on desks
Elon Musk flamethrower
PHOTO: INSTAGRAM/elonmusk
Elon Musk flamethrower
Now playing
00:51
Elon Musk releases new torch devices
PHOTO: Houben/Van Mierlo architecten
Now playing
00:53
Watch these 3D-printed homes being built
PHOTO: CNN
Now playing
04:02
We took to the sky in Kitty Hawk's flying car
PHOTO: CNN; Reviver Auto
Now playing
01:08
California tests pricey digital license plates
PHOTO: Amazon.com/CNNMoney
Now playing
01:18
Amazon under fire over Echo recording error
PHOTO: Boston Dynamics
Now playing
01:21
Humanoid robot runs through the park by itself
blockchain thumb
PHOTO: CNN, Consensys
blockchain thumb
Now playing
03:00
What is blockchain?

Editor’s Note: Bruce Schneier is a fellow at Harvard Kennedy School of Government. The opinions expressed in this commentary are his.

(CNN) —  

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution – which,of course, is not a solution – is to throw them all away and buy new ones that may be available in a few years.

On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15 to 20 years. They’ve been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

Bruce Schneier
PHOTO: Ann De Wulf
Bruce Schneier

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer – maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack – can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Exactly how, we don’t know yet.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling.

Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

“Throw it away and buy a new one” is terrible security advice, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices.

We’re already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can’t be fixed.

The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors.

But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.

The final reason is the nature of these vulnerabilities themselves. These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors.

Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they – and the research into the Intel ME vulnerability – have shown researchers where to look, more is coming – and what they’ll find will be worse than either Spectre or Meltdown.

There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method among many. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites, patch your systems immediately, and generally be careful on the Internet.

You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of these fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It’s a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they’ll figure out some clever way of detecting and blocking the attacks.

But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.