LogoFAIL exploit bypasses hardware and software security measures and is nearly impossible to detect or remove
Individual BIOS Vendors are scrambling to release UEFI patches to OEMs and motherboard manufacturers.
Computers running Windows or Linux are vulnerable to a new type of firmware attack called LogoFAIL, according to a report from Ars Technica. This attack has proven to be extremely effective because it rewrites the logo that typically appears when the system boots after a successful POST (hence the name, "LogoFAIL"), which is early enough that it can bypass security measures designed to prevent bootkit attacks.
The issue affects any motherboards using UEFI provided by Independent BIOS Vendors (IBVs). IBVs such as AMI, Insyde, and Phoenix will need to release UEFI patches to motherboard companies. Because of the way LogoFAIL overwrites the boot-up logo in the UEFI, the exploit can be executed on any platform using Intel, AMD, or ARM running any Windows operating system or Linux kernel. It works because of the way the rewriteable boot logo is executed when the system turns on. It affects both DIY and prebuilt systems with certain functions kept open by default.
Mode of Attack
The exploit was discovered by researchers at Binarly, who published their findings. The attack occurs when the 'Driver Execution Environment' (DXE) phase is underway after a successful POST. The DXE is responsible for loading up boot and runtime services, initiating the CPU, chipset, and other components in a correct sequence for the boot process to proceed. LogoFAIL replaces the UEFI boot-up logo with the exploit, which then loads during the DXE phase.
The researchers demonstrated its execution and exploit on an Intel 11th gen CPU-based Lenovo ThinkCentre M70s with Intel Secure Boot and Boot Guard enabled and the latest available UEFI update from June.
Alex Matrodov, the founder and CEO of Binarly, highlighted that this issue exploits a newly discovered vulnerability in the image-parsing libraries that are used by the UEFI during the boot process. LogoFAIL exploits that vulnerability to bypass all security solutions implemented by the CPU, operating system, and any third-party security software. Since the exploit is not stored in the storage drive, the infection is impossible to eliminate, even after an OS reformat. This UEFI-level exploit can later install a bootkit without being stopped by any security layer from here onwards — making it very dangerous (and a very effective delivery mechanism).
Macs and some prebuilt PCs are safe
Many OEMs, such as Dell, do not allow their logos to be changed in the UEFI — and their image files are protected by Image Boot Guard; these systems are therefore immune to this exploit. Macs, whose hardware and software are developed in-house by Apple, have logo images hardcoded into the UEFI and are similarly protected. This is also the case for Macs running on Intel CPUs (hardcoded logo images), and so those Macs are also safe.
If your system integrator does not allow for rewriting boot images in its BIOS, you should be fine. But for everyone else, this is an exploit that needs to be patched by both motherboard manufacturers and OEMs, as the research shows both are vulnerable. The only way to protect the image parsing in your system's UEFI is by installing a new UEFI security patch, which you'll need to get from your motherboard manufacturer or OEM (who will get it from the IBV).
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
AMI, Insyde, and Lenovo, among others, have published advisories, but there's no complete list of affected companies — to see if your system is vulnerable, you'll need to check with your OEM/motherboard manufacturer.
Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.
-
Giroro As much as I like fear-mongering about security vulnerabilities which inexplicably come bundled with branding images and a cutesy name.... The logo image data gets rewritten how, exactly?Reply
By flashing malicious firmware into your motherboard? -
Alvar "Miles" Udell Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds.Reply -
USAFRet
Actually, things like that are used to give the user some indication that the system is actually working. Rather than just a blank screen.Alvar Miles Udell said:Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds. -
punkncat My comment may be a bit 'off track' but basically, we are saying that the security measures taken for W11 and the boon of any hardware older than Ryzen 2xxx or 8th gen Intel now turns out not to be worthwhile (in a sense) because it has the vulnerability that MS thought they were fixing?Reply -
USAFRet
As in all warfare, offense vs defense escalates.punkncat said:My comment may be a bit 'off track' but basically, we are saying that the security measures taken for W11 and the boon of any hardware older than Ryzen 2xxx or 8th gen Intel now turns out not to be worthwhile (in a sense) because it has the vulnerability that MS thought they were fixing?
Perpetual game of whack a mole. -
NinoPino
I'm curious to know if this will fix the issue., I'm not sure because with such incompetent programmers may be the image is parsed also when not displayed.Alvar Miles Udell said:Simple solution: Remove the boot logo. Your system boots faster since it doesn't have to display a useless logo for (up to) several seconds. -
NinoPino
I do some websearch and it seems that way. So the vulnerability is exploitable only flashing a new BIOS ?Giroro said:.... The logo image data gets rewritten how, exactly?
By flashing malicious firmware into your motherboard?
What a surprise that with a malicious BIOS we compromise the system security!
If this is the case, all the story is a bit alarmist. -
why_wolf All they have to do is replace the image file itself. Its only if the UEFI has other security measures turned on that this is not possible. Then a BIOS flash would be needed.Reply
In short make sure Intel Boot Guard is turned on. Apple and Dell are both safe as apparently neither allows the image file to be replaced.