Pretty much all Windows and Linux computers are vulnerable to this new cyberattack

A person using a touchscreen Windows 11 laptop.
(Image credit: Surface/Unsplash)

Cybersecurity researchers from Binarly have found a flaw that they claim affects virtually every Windows and Linux-powered machine in use today.

The flaw, dubbed LogoFAIL, allows threat actors to execute malicious code on the endpoint in a way that renders practically every antivirus or endpoint protection tool out there - useless.

Regardless of the computer you have, whenever you boot it up, you’ll first see a logo from the device’s manufacturer. While the logo is being displayed, the Unified Extensible Firmware Interface (UEFI) is still running. UEFI, the researchers claim, has been vulnerable to roughly two dozen flaws for years now. By chaining together and exploiting the flaw, an attacker could replace this image with a different one, capable of hosting malicious code.

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Simple attack

The image can be identical to the original one, in order not to arouse any suspicion. Still, UEFI will read and execute the code hosted there. And given the fact that the code is being executed so early in the boot stage, no security features or antivirus programs will flag it.

Secure Boot, Intel’s Boot Guard, and other similar solutions designed to protect from bootkit infections are practically useless here. These two dozen vulnerabilities have collectively been named LogoFAIL.

The devices deemed vulnerable to LogoFAIL include the entire x64 and ARM CPU ecosystem - UEIF suppliers AMI, Insyde, Phoenix, device manufacturers Lenovo, Dell, HP, CPU devices Intel, and AMD. Patches are already available, but they differ from manufacturer to manufacturer. Users are advised to find the corresponding advisory and learn how to patch the vulnerability up. 

In practice, pulling this attack off means the threat actors will need to have gained access to the device beforehand. Unfortunately, there are countless ways they can do that, the researchers said, from abusing an unpatched browser vulnerability, to briefly physically accessing the device. The act of replacing the image is relatively easy to pull off, they said. 

LogoFAIL is being tracked as CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.