If you use a Windows or Linux device, it's vulnerable to a new post-exploit attack that can remotely install an undetectable backdoor at the UEFI level. Updates from just about every vendor available today. Impressive work from @matrosov and the rest of Binarly.
It's 2023, and not only can malicious images still remotely execute malicious code on your devices, but they can do it at the UEFI level, during bootup, enabling invisible firmware bootkits. This new post-exploit attack, known as LogoFAIL, is mind-blowing. Amazing that an entire ecosystem comprising dozens of wealthy companies couldn't be bothered to fuzz the UEFIs they provide to billions of people. With a small amount of effort, this attack could have been closed off a decade ago.
Lots of people asking what the CVEs are and where announcements from various parties can be found. This is a massive, massive (un)coordinated disclosure. Lots of broken or non-existent links at the moment. I'm expecting things will straighten out in an hour or two. Please be patient.
A CERT coordination center has published an advisory on LogoFail, but unfortunately, it doesn't tell us much. It confirms that AMI, Insyde, Intel and Phoenix are affected and that Microsoft and Toshiba are not. But the remaining 20 companies are fall in the "unknown" category. One of the unknowns is Lenovo, which has already confirmed that it is affected.
Also, no CVEs.
¯_(ツ)_/¯
@dangoodin I know my @system76 uses Insyde firmware... my machine is older but I hope I get a fix 🙏
@system76 @dangoodin This is great to know — thanks!
@golemwire @dangoodin since you can't change the logo in firmware this wouldn't effect your system or most of the systems anyway.