Extensive Windows and Linux Vulnerabilities Might Let Attackers Sneak in Malicious Code Before Boot


Lenovo, AMI and Insyde have launched spots for LogoFAIL, an image library poisoning attack.

Researchers at firmware supply chain security platform business Binarly found a set of security vulnerabilities that open nearly all Windows and Linux computer systems as much as attack. The security scientists named the attack LogoFAIL because of its origins in image parsing libraries. Binarly revealed its discovery on Nov. 29 and held a coordinated mass disclosure at the Black Hat Security Conference in London on Dec. 6.

Any x86 or ARM-based gadget utilizing the Unified Extensible Firmware Interfaces firmware ecosystem might potentially be open to the LogoFAIL attack. Binarly is still investigating whether additional manufacturers are impacted. LogoFAIL is particularly hazardous due to the fact that it can be remotely carried out in ways lots of endpoint security products can’t detect.

This vulnerability is not understood to have been exploited, though numerous vendors have launched patches.

Dive to:

How does the LogoFAIL attack work?

LogoFAIL is a series of vulnerabilities whereby the graphic image parsers in system firmware can use personalized versions of image parsing libraries. Basically, an assailant can change an image or logo design (therefore the name) that appears while the device boots up and gain access to the operating system and memory from there (Figure A).

Figure A

A diagram of the UEFI firmware ecosystem and where LogoFAIL could potentially impact it.< img src= "https://www.techrepublic.com/wp-content/uploads/2023/12/logofail-diagram-figure-a-dec-23.png" alt ="A diagram of the UEFI firmware environment and where LogoFAIL could potentially impact it. "width ="1040"height="829"/ > A diagram of the UEFI firmware environment and where LogoFAIL could potentially affect it. Image: Binarly Attacks based upon the UEFI system firmware have actually been around because the early 2000s, however”… the number of image parsers have considerably increased throughout the years,”Binarly wrote. More image parsers implies a larger attack surface.

In other words, opponents could embed malicious code into logo designs that appear during the Motorist Execution Environment stage in the boot process, such as the device producer’s logo. From there, assaulters can access and manage the device’s memory and disk (Figure B). Binarly has a technical explanation.

Figure B

Diagram of the LogoFAIL attack is simplified into its three major steps. The LogoFAIL attack is streamlined into its three significant steps. Image: Binarly revealed they might pack executable code onto the hard disk drive before the device had actually fully booted up.

“We have been greatly focused on reporting vulnerabilities generally found by the Binarly Transparency Platform item, however the work on LogoFAIL was different and initially started as a little research study project just for enjoyable,” Binarly’s team composed. “After demonstrating a huge variety of intriguing attack surfaces from image-parsing firmware components, the project grew into an enormous industry-wide disclosure.”

SEE: Cisco Talos evaluated cybersecurity trends of 2023 (TechRepublic)

How to prevent LogoFAIL

The following companies have released spots for LogoFAIL:

ArsTechnica recommends running UEFI defenses such as Secure Boot, Intel Boot Guard, Intel BIOS Guard or their equivalents for AMD or ARM CPUs. Tech department leaders should inform employees how to download spots as appropriate.


Leave a Reply

Your email address will not be published. Required fields are marked *