Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack (ars technica)

Post Syndicated from corbet original https://lwn.net/Articles/953985/

ars technica article
describes how secure-boot firmware on a huge range
of systems can be subverted with a malicious image file:

As its name suggests, LogoFAIL involves logos, specifically those
of the hardware seller that are displayed on the device screen
early in the boot process, while the UEFI is still running. Image
parsers in UEFIs from all three major IBVs [independent BIOS
vendors] are riddled with roughly a dozen critical vulnerabilities
that have gone unnoticed until now. By replacing the legitimate
logo images with identical-looking ones that have been specially
crafted to exploit these bugs, LogoFAIL makes it possible to
execute malicious code at the most sensitive stage of the boot