Hello and welcome to the Monday, December 4, 2023 edition of the Sands and Stormers Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Researchers from binary discovered multiple vulnerabilities in UIFI firmware that are not necessarily easy to exploit, but given how

ubiquitous these vulnerabilities are, are certainly a concern given that UEFI firmware

is often sort of your root of trust when it comes to different operating systems and computers.

They call the flaw logo fail because, well, it deals with the boot logo.

The boot logo is not necessarily something that you may consider super security sensitive

for such.

It's kind of neat that you can change the logo being displayed by your system from

the manufacturers given design to, well, whatever you would like it to be. But of course,

displaying this logo does require that the firmware is able to parse these image formats. And

image format parsers did have a number of vulnerabilities

in the past. And it's exactly what's happening here. They're using outdated libraries to

display JPEX and other image formats that may be used here. And as a result, the system then is exploitable because these flaws can then be used here and as a result the system then is exploitable because these flaws

can then be used to execute opt-rate code at the time the system boots bypassing security features

like secure boot what makes a dizz attack kind of special and dangerous is that it doesn't

actually modify any of the firmers

code. So any kind of code integrity checks on the firmware are not going to protect you against

the vulnerability as the exploit is run whenever you're booting the system. And in that sense,

kind of persistent as long as

the image remains on the system.

And then, well, moving from a very technical to a not very technical, probably more successful

...