Vilaca says his exploit results from Apple failing to lock down the EFI firmware after a Mac wakes from sleep. He was able to test enough systems to believe it affects only Macs from before mid-2014, although I expect we'll get more information in the near future from other researchers and people who like to poke at this sort of problem.
The EFI could be rewritten to include every kind of snooping and zombie software, snatching all keystrokes and data or turning a computer into an unwitting slave in a distributed denial of service (DDoS) attack. Because the malware is in the EFI, reinstalling OS X or replacing the hard drive does no good. Thunderstrike showed how the system could be modified to prevent updated EFI from Apple from being installed as well.
Remote attacks seem unlikely
Vilaca noted that a remote exploit should be possible, though downplayed it, and I agree there. There's a whole cascade of what would need to happen to first make it useful for an exploit to be created and then install it on unsuspecting Macs.
Any criminal enterprise interested in this exploit has to factor in two elements: how quickly will Apple patch it (if it's ever patched) and how many potential target computers are there that could be exploited? There are conceivably tens of millions of older Macs, so that number is high. But if Apple releases a patch that works with Mavericks and Yosemite, that covers at least 80 percent of active Macs, and potentially more than 90 percent. That makes the yield likely too low to be worthwhile.
To take advantage of this exploit remotely, an attacker would have to either use an unpatched browser weakness or convince a user to install software with an administrative password. Judging by reports around free software that's repackaged with adware and malware and hosted at popular download sites, users routinely give away the keys to the kingdom. But on what scale? Probably also not enough to be worthwhile for this kind of flaw.
Earlier this year, Kaspersky Labs claimed it found malware in hard-disk firmware — the boot and operation software used on hard drives to operate and interact with a computer system. They attributed this to a government actor, widely regarded as the NSA. It's not improbable that this Apple EFI weakness, if it's as described by Vilaca, could be or has been used to target individuals. But the risk on a broad scale seems highly unlikely.
Sign up for CIO Asia eNewsletters.