arstechnica.com

Truck_kun, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

I actually am in the market for a new mobo and cpu.

Are there any mobo’s nowdays that don’t use UEFI? I just want an old traditional style BIOS with a jumper to restore it from a ROM chip if I get any malware, so I can actually trust my hardware.

I did force myself to deal with UEFI for the sake of windows, but gaming has gotten good enough on Linux, I don’t actually need to dual boot windows anymore.

Am I asking too much?

yum13241,

No, and trying to use a pure BIOS system these days is a headache.

You can always just reflash your firmware from a trusted OS via FWUPD.

charonn0, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack
@charonn0@startrek.website avatar

As its name suggests, LogoFAIL involves logos, specifically those of the hardware seller that are displayed on the device screen early in the boot process, while the UEFI is still running. Image parsers in UEFIs from all three major IBVs are riddled with roughly a dozen critical vulnerabilities that have gone unnoticed until now. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

So, does disabling the boot logo prevent the attack, or would it only make the attack obvious?

lol, (edited )
@lol@discuss.tchncs.de avatar

deleted_by_author

    •
    charonn0,
    @charonn0@startrek.website avatar

    Usually you can, though the setting might be listed under something like “show diagnostic during boot”.

    lazylion_ca,

    If you have access to replace the logo file, you probably have access to enable it as well.

    fl42v,

    Not necessarily, I guess. They’re talking about a firmware upgrade of sorts, and, at least on the machines I own(ed), performing it didn’t reset user settings (which disabling the logo is)

    kugmo, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack
    @kugmo@sh.itjust.works avatar

    So this is only for the background of the motherboard boot up logo like from Asus, Acer, Gigabyte ect? Not your grub or rEFInd background correct?

    elscallr,
    @elscallr@lemmy.world avatar

    Correct.

    palordrolap, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

    It's rare that I get to feel anything remotely comforting about not being able to afford new hardware, but if I understand correctly, my BIOS-only dinosaur can't be exploited.

    Still vulnerable to thousands of other exploits no doubt, but not this one.

    plinky, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack
    @plinky@hexbear.net avatar

    damn 😱

    redd,
    @redd@discuss.tchncs.de avatar

    Don’t panic!

    0x0, to linux in Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack

    I wonder if old BIOS are vulnerable…

    admin,
    @admin@lemmy.my-box.dev avatar

    Nope, they aren’t as universal as EFI. I think the closest comparable attack vector for “old tech” is a bootsector virus.

    library_napper, to linux in SSH protects the world’s most sensitive networks. It just got a lot weaker
    @library_napper@monyet.cc avatar

    So hardened ssh configs following best practice cipher whitelist are unaffected, cool

    ItsComplicated, to privacyguides in Automakers’ data privacy practices “are unacceptable,” says US senator

    I prefer my car just be a car! I am definitely getting old.

    MasterBuilder,

    No, you aren’t. You just haven’t been conditioned your whole life to accept 100% surveillance.

    loaExMachina, to linux in SSH protects the world’s most sensitive networks. It just got a lot weaker

    Great photo illustration

    carnimoss, to privacyguides in Automakers’ data privacy practices “are unacceptable,” says US senator

    Are there any modern cars without this problem? It makes sense that they steal data considering how many have wifi and bluetooth

    speaker_hat,

    I guess only the ones without Internet connection

    HeyThisIsntTheYMCA, to upliftingnews in Crispr gene editing shown to permanently lower high cholesterol
    @HeyThisIsntTheYMCA@lemmy.world avatar

    Yeah, but then you get to have the side effects of having had done crispr gene editing. Have they really gotten that down to a two week sniffle?

    eyes,

    Probably better than dying, high cholesterol is responsible for 7.1% of deaths in England alone. In 2022 that’s something like 40k deaths a year that could have been elimated.

    Drusas, to privacyguides in CVS, Rite Aid, Walgreens hand out medical records to cops without warrants

    For those of you who think you are using a local pharmacy, you might want to check whether or not they're owned by one of these. They buy out local pharmacies without obviously rebranding. And then they kill the store. At least, that's Rite Aid's MO.

    melroy, to linux in New systemd update will bring Windows’ infamous Blue Screen of Death to Linux | Ars Technica
    @melroy@kbin.melroy.org avatar

    What?? No no.. Please no.

    kbal, to linux in New systemd update will bring Windows’ infamous Blue Screen of Death to Linux | Ars Technica
    @kbal@fedia.io avatar

    As people have said in some of the many, many other threads on this subject, if they really wanted to copy someone else's style of full-screen error message they'd have done much better to go with "Guru Meditation"

    carlytm, to linux in New systemd update will bring Windows’ infamous Blue Screen of Death to Linux | Ars Technica

    At last, the Year of the Linux Desktop.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • localhost
  • All magazines
    •
    Loading…
    Loading the web debug toolbar…
    Attempt #