News LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove

[Admin]

Newly discovered LogoFAIL vulnerability acts early enough to bypass hardware and software security measures, making it nearly impossible to detect or remove.

LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove : Read more

 

[why_wolf]

I honestly thought all those boot up images were hardcoded.

 

[Giroro]

As much as I like fear-mongering about security vulnerabilities which inexplicably come bundled with branding images and a cutesy name.... The logo image data gets rewritten how, exactly?
By flashing malicious firmware into your motherboard?

 

[Alvar "Miles" Udell]

Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.

 

[NinoPino]

I honestly thought all those boot up images were hardcoded.

Me too.

 

[USAFRet]

Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.

Actually, things like that are used to give the user some indication that the system is actually working. Rather than just a blank screen.

 

[punkncat]

My comment may be a bit 'off track' but basically, we are saying that the security measures taken for W11 and the boon of any hardware older than Ryzen 2xxx or 8th gen Intel now turns out not to be worthwhile (in a sense) because it has the vulnerability that MS thought they were fixing?

 

[USAFRet]

My comment may be a bit 'off track' but basically, we are saying that the security measures taken for W11 and the boon of any hardware older than Ryzen 2xxx or 8th gen Intel now turns out not to be worthwhile (in a sense) because it has the vulnerability that MS thought they were fixing?

As in all warfare, offense vs defense escalates.

Perpetual game of whack a mole.

 

[NinoPino]

Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.

I'm curious to know if this will fix the issue., I'm not sure because with such incompetent programmers may be the image is parsed also when not displayed.

 

[NinoPino]

.... The logo image data gets rewritten how, exactly?
By flashing malicious firmware into your motherboard?

I do some websearch and it seems that way. So the vulnerability is exploitable only flashing a new BIOS ?
What a surprise that with a malicious BIOS we compromise the system security!
If this is the case, all the story is a bit alarmist.

 

[why_wolf]

All they have to do is replace the image file itself. Its only if the UEFI has other security measures turned on that this is not possible. Then a BIOS flash would be needed.

In short make sure Intel Boot Guard is turned on. Apple and Dell are both safe as apparently neither allows the image file to be replaced.

 

[ThomasKinsley]

Machines with legacy boot are safe from this exploit then?

 

[bit_user]

Let's not lose sight of the fact that this exploit was only discoverable because BIOS vendors did a poor job of keeping their software stack up-to-date. If their image decoding libraries were all new enough to have fixes for the known security exploits in JPEG, PNG, WEBP, etc. then it's not exploitable.

At a systemic level, the big miss is that the logo is decoded at an escalated security level that gives these exploits access to do bad things. This is a bad design, by people who should know better.

 

[Math Geek]

The logo image data gets rewritten how, exactly?
By flashing malicious firmware into your motherboard?

this is my question as well. the ARStechnica article says this about it

"There are several ways to exploit LogoFAIL. Remote attacks work by first exploiting an unpatched vulnerability in a browser, media player, or other app and using the administrative control gained to replace the legitimate logo image processed early in the boot process with an identical-looking one that exploits a parser flaw. The other way is to gain brief access to a vulnerable device while it’s unlocked and replace the legitimate image file with a malicious one."

so i guess you get the right permissions and then flash the bios from windows either remotely or locally.

 

[Cliff3.141592653589793238]

I never trusted UEFI anyway. I figured it was just another way for microlimp to exert more control.

 

[TJ Hooker]

Machines with legacy boot are safe from this exploit then?

If the legacy BIOS has a boot logo/image, I don't see why it wouldn't be similarly vulnerable. It seems highly unlikely that an old legacy BIOS would have more up to date, secure image parsers than current UEFI FWs.

That being said, I don't think this exploit would even be necessary on a legacy BIOS system. If you got physical and/or root access, I think you could just directly compromise the bootloader (and/or device drivers) to get full access, and the BIOS has no means to detect that (which is accomplished by secure boot for UEFI systems). It also looks like there are less or no checks for compromising a legacy BIOS once you have root/physical access, in contrast to UEFI with things like Boot/BIOS Guard in place.

 

[bit_user]

If the legacy BIOS has a boot logo/image, I don't see why it wouldn't be similarly vulnerable. It seems highly unlikely that an old legacy BIOS would have more up to date, secure image parsers than current UEFI FWs.

I think the key difference is that legacy BIOS has the logo embedded directly in the BIOS binary, itself. You probably can't modify it, separately.

 

[Makaveli]

Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.

I turn it off just for that reason system boots faster been doing that pre UEFI bios.

 

[KyaraM]

I, too, would love to know how protect yourself from it and figure out if you are affected or not... does turning off the logo work so the virus won't be able to run/be installed? If yes, how can you do that (would be good to know for casual users)? Will there be any irregularities, eg during boot (both at the time the overwritten BIOS is flashed and after) or afterwards? How easy is it to explore, especially remotely? I won't be worried if you need pysical access, but if it's easy to do remotely...

 

[bit_user]

I, too, would love to know how protect yourself from it and figure out if you are affected or not... does turning off the logo work so the virus won't be able to run/be installed?

If only the logo file is modified, then I'd expect disabling the logo would indeed protect you. What I don't know is whether it's any easier to modify the logo than any other aspect of UEFI.

Upgrading your motherboard "BIOS"/UEFI firmware should also help, once your motherboard vendor has released a version with the patched image libraries.

If yes, how can you do that (would be good to know for casual users)?

A really good exploit will cover its tracks, meaning it'll have reverted the logo file, once your machine is infected. If it's that good, then you could be infected by a root kit, which can be incredibly difficult to detect.

Will there be any irregularities, eg during boot (both at the time the overwritten BIOS is flashed and after) or afterwards?

Good question. I'm not sure if there are any visible signs your UEFI firmware is being tampered with. One thing that could be a giveaway is some minor image corruption of the logo. I'm not sure if there's an image-based exploit that wouldn't visibly affect the image in some way, but it's plausible.

How easy is it to explore, especially remotely? I won't be worried if you need pysical access, but if it's easy to do remotely...

Probably requires admin privileges. For remote exploits which can achieve that, you have probably a lot more to worry about than this esoteric logo-based attack. It's not common to see vulnerabilities that give a remote actor admin privileges on your machine, but they sometimes do come up.

 

[ClowReed]

As much as I like fear-mongering about security vulnerabilities which inexplicably come bundled with branding images and a cutesy name.... The logo image data gets rewritten how, exactly?
By flashing malicious firmware into your motherboard?

My thoughts exactly. One of the most important infos they just kept out of the article. Smh

 

[HaninTH]

Have people been assuming their kit is secure by default? Gasp!

 

[Math Geek]

Have people been assuming their kit is secure by default? Gasp!

i think it's fair to say people were not thinking their boot logo was a security risk. of all the obvious security issues to consider, i doubt the boot logo was on anyone's top 50 things to worry about.

 

[HaninTH]

i think it's fair to say people were not thinking their boot logo was a security risk. of all the obvious security issues to consider, i doubt the boot logo was on anyone's top 50 things to worry about.

All hardware depends on software which is written by humans, whom are not perfect, and even if they were, there are other reasons to do things.

It could just be cost cutting leading to missed flags or a rush to push out updates for other issues that misses other portions of the firmware.

I tend to lean towards these were intentionally left there. (CIA/NSA/9eyes/Etc.'s request/mandate)

Anyway, back to the issue of not assuming an image parser would cause this kind of havoc.

This won't be the first time an image parser has caused issues, it seems to be a common issue for web browsers so why not firmware? I think some people don't realize that an image file is more than just the image, especially certain formats that support extended features (animations). This requires more than just the ability to show the "image".

If you didn't code it yourself, and you haven't thoroughly tested it in every permutation it could ever be put under, then consider it unsafe.

There's way too many people interested in the actions of the rest of us that these things can't just be accidents. Am I too paranoid?

 

[JamesJones44]

Maybe I missed it, but what is the delivery method of this attack? USB drive, JavaScript execution by the browser, download a file, running an untrusted app, random UDP packet, etc?

I get how the exploit works, I'm just not seeing how this attack gets on to a system to begin with. If it's from simply seeing an infected image browsing the web because it gets cached, then this is a very serious exploit. It's is by downloading a file from your favorite pirate site or physically downloading an image, then this is a little be less worrying for those who know what to look for.

The blog post makes it sound more like the latter, but was curious if I missed how they delivered it.