Ars Technica:

Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014.

The new attack doesn’t require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it. While the attack isn’t likely to be exploited on a mass scale, it’s also not hard for people with above-average skill to carry it out.

I’ve been chatting with my favorite security expert on Twitter about this and he says, “It looks pretty serious. Not panic level, but I hope Apple patches quickly. It makes a root exploit permanent but you still need the initial exploit. Nearly impossible to remove once exploited.”