Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Pretty much all Windows and Linux computers are vulnerable to this new cyberattack

A person using a touchscreen Windows 11 laptop.

Cybersecurity researchers from Binarly have found a flaw that they claim affects virtually every Windows and Linux-powered machine in use today.

The flaw, dubbed LogoFAIL, allows threat actors to execute malicious code on the endpoint in a way that renders practically every antivirus or endpoint protection tool out there - useless.

Regardless of the computer you have, whenever you boot it up, you’ll first see a logo from the device’s manufacturer. While the logo is being displayed, the Unified Extensible Firmware Interface (UEFI) is still running. UEFI, the researchers claim, has been vulnerable to roughly two dozen flaws for years now. By chaining together and exploiting the flaw, an attacker could replace this image with a different one, capable of hosting malicious code.

Simple attack

The image can be identical to the original one, in order not to arouse any suspicion. Still, UEFI will read and execute the code hosted there. And given the fact that the code is being executed so early in the boot stage, no security features or antivirus programs will flag it.

Secure Boot, Intel’s Boot Guard, and other similar solutions designed to protect from bootkit infections are practically useless here. These two dozen vulnerabilities have collectively been named LogoFAIL.

The devices deemed vulnerable to LogoFAIL include the entire x64 and ARM CPU ecosystem - UEIF suppliers AMI, Insyde, Phoenix, device manufacturers Lenovo, Dell, HP, CPU devices Intel, and AMD. Patches are already available, but they differ from manufacturer to manufacturer. Users are advised to find the corresponding advisory and learn how to patch the vulnerability up. 

In practice, pulling this attack off means the threat actors will need to have gained access to the device beforehand. Unfortunately, there are countless ways they can do that, the researchers said, from abusing an unpatched browser vulnerability, to briefly physically accessing the device. The act of replacing the image is relatively easy to pull off, they said. 

LogoFAIL is being tracked as CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.