Lots of incompetent journalistic nonsense, as usual
OK, let's start by debunking the nonsense in the original report from ElReg.
"It requires physical access to the machine". Nonsense. Physical access is one of the things such an attack does *not* require. All you have to do is run a program on the machine - which can be done in the same way as you get any other malicious program (virus or Trojan) run on the machine. There are many other requirements, though, which make the attack far more difficult than the article implies.
"work on virtually all types of systems". Nonsense. In order for this attack to work on a particular system, you need:
1) The system must have a user-programmable (FLASH-able) BIOS. While many systems are like that nowadays (especially laptops), it is by far not true for all of them.
2) The BIOS should be FLASH-able by any random program - i.e., it shouldn't require the user to move a jumper or anything like that.
3) The precise way to FLASH the BIOS should be known to the malicious program. There is no standard API to FLASH any random BIOS - the different BIOS producers use different ways. While it is possible to cover "the most popular types of BIOS", it is by far not easy and it is not possible to cover them all.
4) The program must be able to find a large enough unused (or not used for anything critical) area in the BIOS, which to overwrite with the rootkit - otherwise it will destroy something important and the computer will stop working at all. Again, finding such an area is not easy and they are not at the same places in the BIOSes of all producers.
So, while it is a legitimate attack, do not expect to start seeing to tomorrow on the wide scope the article implies.
OK, now let's move to the nonsense posted in the comments - and I won't even bother with the silly and/or sarcastic remarks.
Oisin McGuigan, you can't be serious. 95% protection is precisely what you're paying for. Do the doctors cure 100% of all diseases? Does the police catch 100% of all criminals? Does any lock deter 100% of all lock-pickers? The point is that it is better to pay and have 95% protection than have no protection at all.
For instance, a program installing the kind of rootkit the article is talking about has to *run* on your computer before it can install anything. IF you have anti-virus installed and running properly and IF it knows the program, then it will prevent the program from running in the first place, so your machine will be protected.
"This kind of vuln"?? What kind of "vuln"?! Viruses require no vulnerabilities whatsoever. They rely on the fact that all von Neumann-type computers (which is all kinds of general-purpose computers in use today) cannot distinguish between code and data.