The worm has to be delivered, which requires either physical access (through a malicious or innocent party with an infected device) or via a separate exploit to install or a way to convince a user, as with the escalation flaw discussed above. Once the malware is loaded, the malware copies itself to any other attached Thunderbolt device's option ROMs, including peripherals as simple as a Thunderbolt gigabit ethernet adapter.
When a Mac is next restarted with an infected option ROM, the malicious software is added to its EFI firmware, providing a new vector. Any infected peripheral that's shifted from that Mac to another spreads the malware. While Apple checks for the integrity of firmware updates before they're installed, it doesn't otherwise check option ROMs or EFI firmware at other points.
Apple says that as of 10.10.4 (released in June), the demonstration that Kovah and Hudson plan to show will not work, as they've patched the vector used. Via email, Hudson pointed me to an update on his site on Wednesday that acknowledges one avenue of attack was shut down, but others remain, including using option ROMs to spread their worm. Apple says it's investigating these other reported weaknesses.
But it's crystal clear from the researchers' work that more fundamental changes need to be made to ensure that holes aren't just plugged. Two months ago, yet another EFI flaw was found--and quickly patched by Apple as part of the 10.10.4 release.
A rethink of firmware integrity is needed, and not just by Apple. The two researchers more broadly found problems across the industry in EFI bootloaders. As I noted two months ago, peripheral firmware appears to already have been exploited by national-security agencies, and would thus also be a likely target for criminals as well. This kind of attack isn't theoretical nor just a good demo. Computer vendors need to step up to the new state of firmware risks.
Sign up for CIO Asia eNewsletters.