A new zero-day exploit has been revealed for Macs made before 2014:
OS X security researcher Pedro Vilaca wrote about the discovery of the zero-day vulnerability on his blog over the weekend, detailing how it’s possible to tamper with Apple computers’ UEFI (unified extensible firmware interface), which is designed to improve upon a machine’s BIOS.
UEFI code is usually sealed off but Vilaca discovered that when Apple computers made before mid-2014 go to sleep and are reawakened, the code is unlocked and able to be modified.
Vilaca says the only way to defend against the vulnerability is to always shut your computer down and never let it go to sleep. A similar exploit, called Thunderstrike, was discovered last year, but Vilaca claims the one he found could be even more dangerous as it may be possible to remotely exploit the bug.
Until a patch is released, you’d be wise to follow Vilaca’s advice if you’re doing any traveling.