They were quite clear that for this to work, the payload portion was required to run in a virtual "guest OS" under VirtualBox, a system that enables alternative Intel based operating systems to operate simultaneously with OSX. VirtualBox is a free UNIX app that is equivalent to Parallels Desktop or VMWARE's Fusion which cannot even operate on any PowerPC processor computers, nor could any of the Operating Systems it supports run, since there is no Intel processor for it to use.
When an OS is virtualized under one of these type of applications such as VirtualBox, that OS can operate under its own rules, hitting the hardware, ignoring the permissions inherent in UNIX. it is a way to bypass Root permissions. Since the G5 is NOT an Intel processor, the command structure is totally different, as are the system calls. It is not a trivial issue to simply write another hardware level EPROM flash writer.
In general, I agree with your point about the new approach to attack other micro controllers included with the system, but I think that they did stretch their point when their target Macs had to be running a non-standard environment with a VirtualBox with an un-named OS of their choice. My original point was valid as well. . . that they would have gotten nowhere on a standard environment, as sold Mac, attempting this with as a remote exploit. In other words, we are both right to an extent.
I remember them mentioning VirtualBox, but I don’t recall what it was used for in their scheme. I’m thinking it was for something extra beyond the basic disable-the-LED hack, but I’ll need to check it out.
After Stuxnet, I think we need to be particularly concerned about microcontroller malware. While the consequences in that particular case were good (slowing down Iran’s nuclear development), in general I think our infrastructure is very susceptible to this sort of attack.
OK, I checked it out. VirtualBox wasn’t needed for the basic webcam hack that disabled the LED.
But after showing how to disable the LED, they indicated how the same method can be used to do other things, such as break out of a virtual machine. A machine running VirtualBox was their example of how to use their trick so that software inside VirtualBox can run programs in the host operating system.
So for this the point was that they can use their trick to break out of a virtual machine — once again, doing something that seems impossible at first glance.
Clearly this is all quite complicated, and I’m not 100% sure that I haven’t missed something, but I think what I’ve written is correct.