Ars Technica on a new remote exploit leaving most Macs vulnerable to permanent backdooring:

Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac’s BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.

The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn’t require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it.

“BIOS should not be updated from userland and they have certain protections that try to mitigate against this,” Vilaca wrote in an e-mail to Ars. “If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates.”

This is a particularly nasty exploit, not just because it allows a persistent backdoor but primarily because it can be done remotely. Generally, flashing a BIOS needs to be accomplished through physical access to the machine. This vulnerability allows attackers to remotely install the permanent backdoor into the BIOS, and such low-level rootkits are the worst type of malware.