There's a new vulnerability that could let evildoers control your Mac, even after you format the system drive. Discovered by OS X security expert Pedro Vilaca, the exploit targets older machines after they wake up from sleep mode. The problem is that security normally protecting the firmware isn't activated immediately after certain models wake up, leaving them briefly exposed. And unlike other vulnerabilities that require physical access to a machine (like ThunderStrike) an attacker would be able to plant such an exploit remotely via Safari or other means.
To pull it off, they'd first need to get root OS X root access via a malicious website, email attack or other vector. After a carefully designed program is planted, it could wait for the Mac to sleep (or force it to sleep), then flash the firmware when it wakens. Once inside, the malicious "rootkit" would be difficult to detect and delete compared to regular malware, surviving even re-installs or formatting. Though tricky to use on a large scale, the exploit could be used by attackers to gain "epic ownage" on individual targets, as Vilaca put it.
You could probably... trigger this, all remotely. That's pretty epic ownage.
Vilaca updated his original post to point out that the vulnerability's seriousness, saying it "appears to be an effective zero-day" problem. He confirmed that the bug works on a MacBook Pro Retina, MacBoook Pro 8.2 and a MacBook Air, with all models running the latest BIOS software. However, machines newer than about a year old appear to be immune to it -- possibly because Apple already knows about the issue and patched it, according to Vilaca. Also, even though the exploit is now out there, it would be trickier for attackers to implement than something like Heartbleed. Vilaca doesn't consider the disclosure irresponsible, saying that "the goal is to pressure them to fix their firmware." We've reached out to Apple for comment on the matter.