A new attack called LogoFAIL has been discovered that targets hundreds of Windows and Linux computer models, creating vulnerabilities that are nearly impossible to detect or remove using current defense mechanisms. The attack, carried out by replacing legitimate logo images with specially crafted ones, allows for the execution of malicious firmware early in the boot-up sequence, gaining high levels of control over the affected devices. This has led to concerns about platform security, as the attack can bypass industry-wide protections and defenses.
The vulnerabilities, which have lurked for years in Unified Extensible Firmware Interfaces responsible for booting modern devices, affect a wide range of consumer and enterprise-grade models. The attack can be remotely executed in post-exploit situations, evading detection by traditional endpoint security products. The affected companies are releasing advisories to disclose which of their products are vulnerable and providing security patches.
The attack, unveiled at the Black Hat Security Conference in London, involves image parsing vulnerabilities in UEFIs from major hardware vendors, such as AMI, Insyde, and Phoenix. Once arbitrary code execution is achieved in the boot process, the attackers gain full control over the target device’s memory and disk, including the operating system. This allows for the delivery of a second-stage payload that drops an executable onto the hard drive before the main OS has even started. Binarly, the security firm that discovered the vulnerabilities, has described LogoFAIL as a high-impact security threat affecting the entire ecosystem across different code and device vendors.
The vulnerabilities have been the subject of a coordinated mass disclosure, with the participating companies releasing advisories and security patches for affected products. LogoFAIL has raised concerns about the ability of traditional endpoint security solutions to detect and remove the attack, making it a significant threat to platform security.