LogoFAIL is a firmware attack that researchers from Binarly presented as a proof of concept at the Black Hat Security Hacking Conference in London. And it is highly dangerous because it exploits vulnerabilities that it affects tens of millions of Windows and Linux PCs.

Researchers discovered and documented this vulnerability affecting the Unified Extensible Firmware Interface (UEFI). A standard pushed by the giants of the PC industry to overcome the limitations of the old BIOS and which is vital in every PC as they are responsible for providing low-level communication, operation and basic hardware configuration and are responsible for booting. the vast majority of Windows and Linux computers.

LogoFAIL is a development we make in so-called “firmware attacks” that allow malicious code to run in the early stages of a PC’s boot sequence. These types of attacks are known and have been particularly important in the field of cyber security since their introduction. it is nearly impossible to detect or remove using current defense mechanisms. We’ve already seen others behave like BlackLotus, the first anti-UEFI malware capable of bypassing it Secure BootWindows Secure Boot.

LogoFAIL, extremely dangerous

The attack stands out for its relative ease of execution, the breadth of both consumer and business models (tens of millions of computers) that are susceptible, and the high level of control that is gained over them. In many cases, LogoFAIL can be run remotely in post-exploit situations using techniques that traditional endpoint security products cannot detect.

And since exploits are launched during the early stages of the boot process, can bypass defenses, including those listed above Secure Boot designed by Microsoft and extended against anti-bootkit measures, but which does not work in this attack, which includes two dozen vulnerabilities in image analyzers within UEFI, which affects almost all x86 and ARM CPU ecosystems.

Worryingly, these vulnerabilities went unnoticed for years, if not decadesand are the result of extensive research conducted by Binarly, a security company specializing in the identification and protection of vulnerable firmware. LogoFAIL targets logos displayed on a device’s screen during the early boot process and exploits vulnerabilities in image analyzers to replace legitimate logos with infected files. This manipulation allows arbitrary code to run during the Driver Execution Environment (DXE) phase, which limits the security of the platform.

LogoFAIL can be run remotely and avoid traditional protections. Once arbitrary code execution is achieved during the DXE phase, attackers gain full control over the memory and storage units of the target devices, including the operating system. Imagine if a hacker could control your computer from the moment you turn it on: they could access all your files, watch what you do, and install more harmful programs. That’s why LogoFAIL is a big deal.

The investigation and set of vulnerabilities were the subject of a managed mass disclosure program involving nearly the entire PC manufacturer ecosystem. Major UEFI firmware providers such as AMI, Insyde, and Phoenix; processor manufacturers Intel and AMD, as well as major PC manufacturers Lenovo, Dell, and HP.

Affected parties are already posting notices with information about vulnerable products and security patches, so we should be Pay attention to security updates for UEFI which the suppliers will publish and which will be mandatorily installed. Please note that Apple Macs are not affected as they do not use UEFI firmware, both older Intel-based machines and the latest ARM-based models.