Computer security researchers from Binarly have identified a widespread set of vulnerabilities that affect most Windows and Linux computers due to bugs in the boot-loader that starts the computer (before the operating system starts).
The attack—dubbed LogoFAIL by the researchers who devised it—is notable for the relative ease in carrying it out, the breadth of both consumer- and enterprise-grade models that are susceptible, and the high level of control it gains over them. In many cases, LogoFAIL can be remotely executed in post-exploit situations using techniques that can’t be spotted by traditional endpoint security products. And because exploits run during the earliest stages of the boot process, they are able to bypass a host of defenses, including the industry-wide Secure Boot, Intel’s Secure Boot, and similar protections from other companies that are devised to prevent so-called bootkit infections.
...
The affected parties are releasing advisories that disclose which of their products are vulnerable and where to obtain security patches. Links to advisories and a list of vulnerability designations appears at the end of this article.
See the linked article for more details and context, including a video demonstration of one exploit. It’s a comprehensive article, with sections describing the implications of the exploits, how they work, how they were discovered, as well as a history of firmware exploits. Some parts of the article are pretty technical.
To continue following this issue, see the author’s thread on Mastodon (@dangoodin@infosec.exchange)
Edit: To clarify a few points raised in the comments:
1. “Many” Dell computers are likely not susceptible to this attack, but not all, so I removed the comment “Dell computers are likely not affected.” Furthermore, to be clear, Apple computers are not affected, nor are other devices like phones.
2. This vulnerability cannot give the attacker access to your computer remotely, but once they have ADMINISTRATOR access to your computer, it can give them complete control over it. This is a minor risk as long as you consistently practice good computer security habits (which includes installing the patch provided by your manufacturer when it’s available).
Edit2: Further discussions pointed out that this requires the attacker to first get administrator access, at least for a moment— then they can create this as a backdoor. Note that the default Windows accounts include administrator access, so ideally you would create a second (non-admin) account for day-to-day use and only provide administrator control to people who you fully trust.