queue

Firmware security company Binarly on Wednesday disclosed the details of an attack method that can be used to compromise many consumer and enterprise devices by leveraging malicious UEFI logo images.

The attack method, dubbed LogoFAIL, exploits vulnerabilities in the image parsers used by the UEFI firmware to display logos during the boot process or in the BIOS setup. Getting the affected parsers to process a specially crafted image can enable the attacker to hijack the execution flow and run arbitrary code.

Hackers can use the LogoFAIL attack to compromise the entire system and bypass security measures such as Secure Boot.

“These vulnerabilities can compromise the entire system’s security, rendering ‘below-the-OS’ security measures like any shade of Secure Boot ineffective, including Intel Boot Guard. This level of compromise means attackers can gain deep control over the affected systems,” Binarly explained.

Binarly’s analysis showed that UEFI vendors use various types of parsers for BMP, PNG, JPEG, GIF and other types of images. The security firm’s research targeted firmware from Insyde, AMI and Phoenix and led to the discovery of two dozen vulnerabilities, more than half of which have been assigned a ‘high severity’ rating.

The impacted firmware is shipped with hundreds of consumer and enterprise computer models — including x86 and ARM-based devices — made by companies such as Acer, Dell, Framework, Fujitsu, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, and Supermicro. This means millions of devices worldwide could be exposed to attacks.

A LogoFAIL attack can be launched by abusing the firmware update procedure to replace the legitimate logo with a malicious version. Attacks through physical access may also be possible, using an SPI flash programmer, assuming that the logo is not protected by hardware verified boot technologies.

Some vendors — this includes Intel, Acer and Lenovo — offer features that enable users to customize the logos displayed during boot, which can make it possible to launch LogoFAIL attacks from the OS, without the need for physical access to the device.

It’s important to note that while image parser vulnerabilities have been found in devices from all of the aforementioned vendors, they cannot always be exploited. In Dell’s case, for instance, the logo is protected by Intel Boot Guard, which prevents its replacement even if the attacker has physical access to the targeted system. In addition, Dell does not offer any logo customization features.

Details of the attack were presented by Binarly at the Black Hat Europe conference on Wednesday, and the company has published a technical blog post describing its findings.

The security firm has published a video showing a proof-of-concept (PoC) LogoFAIL exploit in action, demonstrating how an attacker who has admin permissions on the operating system can escalate privileges to the firmware level.

The vulnerabilities were reported to impacted vendors through CERT/CC several months ago, but it can take a lot of time for patches for these types of security holes to reach end devices, even if vendors create the fixes.

Microsoft is singing the praises of the new Outlook and wants to persuade users to switch. But beware: if you try out the new Outlook, you risk transferring your IMAP and SMTP credentials of mail accounts and all your emails to Microsoft servers. Although Microsoft explains that it is possible to switch back to the previous apps at any time, the data will already be stored by the company. This allows Microsoft to read the emails. Start menu shows new Outlook as recommended app

The new Outlook now appears as a recommended app in the Windows Start menu of Windows 11 devices with the 2023 update. The Outlook client itself also offers to test the new Outlook version with a "The new Outlook" switch. This is still under development, but is set to replace the mail program and the calendar included in Windows in 2024. In a recent tech community article, Microsoft employee Caitlin Hart also explains that it will also replace the classic Outlook. However, unlike the Windows Mail and Calendar apps, the timetable for this has not yet been set.

When adding a mail account in the new Outlook that is not hosted by Microsoft but is located on company mail servers, for example, the program displays a message. It links to a support article that simply states that non-Microsoft accounts are synchronized with the Microsoft cloud, whereby Gmail, Yahoo, iCloud and IMAP accounts are currently supported. The new Outlook also does this in the versions for Android, iOS and Mac. This means that copies "of your email, calendar, and contacts will be synchronized between your email provider and Microsoft data center". This gives the company full access to all emails and allows it to read and analyze them. Microsoft wants to provide functions that way that Gmail and IMAP do not offer. Warning message of the new Outlook version when adding a non-Microsoft account

The note makes you wonder: What does Microsoft transfer where? When creating an IMAP account, c't was able to sniff the traffic between new Outlook and the Microsoft servers. It contained the target server, log-in name and password which were sent to those Servers of Microsoft. Although TLS-protected, the data is sent to Microsoft in plain text within the tunnel. Without informing or inquiring about this, Microsoft grants itself access to the IMAP and SMTP login data of users of the new Outlook.

When switching from the old Outlook to the new one, it is installed the new software in parallel. Previously set up IMAP accounts are not automatically transferred, but the account stored in Windows is. During the test with Google accounts, authentication with OAuth2 was used. Users receive an authentication request and Microsoft does not receive any specific access data, but only an access token that users can revoke again.

An answer to our request for a statement from Microsoft is still pending. At this point in time, however, we must warn against trying out the new Outlook without thinking. In addition to all the emails, some credentials may even end up with Microsoft.

Microsoft already attracted attention with such data redirections at the beginning of the year. After Office updates were applied on Mac computers, Outlook redirected the data to Microsoft's cloud servers without any user notification. At that time, the remedy was to delete IMAP accounts and set them up again. However, this is obviously no longer helpful with the new Outlook.

The Federal Commissioner for Data Protection and Freedom of Information of Germany, Professor Ulrich Kelber, is alarmed by the data detour in Microsoft's new Outlook. He posted on Mastodon that he wants to ask for a report from the Irish Data Protection Commissioner, who is responsible for companies like Microsoft, during a meeting of the European data protection supervisory authorities on Tuesday of the coming week.