Security researchers have discovered a flaw in the Microsoft Windows Platform Binary Table (WPBT) that could be exploited in simple attacks to install rootkits on all Windows computers shipped since 2012.
Rootkits are malicious tools created by threat actors to evade detection by burrowing deep into the operating system and used to fully support compromised systems while avoiding detection.
WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced by Microsoft from Windows 8 to allow vendors to run programs every time a device is started.
However, in addition to allowing OEMs to force the installation of critical software that cannot be bundled with Windows installation media, this mechanism can also allow attackers to deploy malicious tools, as Microsoft warns in its own documentation.
“Since this feature provides the ability to persistently run system software in the context of Windows, it becomes essential that WPBT-based solutions are as secure as possible and do not expose Windows users to conditions. exploitable, ”says Microsoft.
“In particular, WPBT solutions must not include malware (that is, malware or unwanted software installed without adequate user consent).”
Impacts all computers running Windows 8 or later
The weakness found by Eclypsium researchers has been present on Windows computers since 2012, when the feature was first introduced with Windows 8.
These attacks can use various techniques that allow writing to memory where ACPI tables are located (including WPBT) or by using a malicious boot loader.
This can be by abusing the BootHole vulnerability that bypasses Secure Boot or through DMA attacks from vulnerable devices or components.
“The Eclypsium research team has identified a weakness in Microsoft’s WPBT capability that can allow an attacker to execute malicious code with kernel privileges when a device boots,” Eclypsium researchers said.
“This weakness can potentially be exploited through multiple vectors (eg, physical, remote, and supply chain access) and by multiple techniques (eg, malicious boot loader, DMA, etc.)”
Eclypsium shared the following demo video which shows how this security flaw can be exploited.
Mitigation measures include the use of WDAC policies
After Eclypsium informed Microsoft about the bug, the software giant recommended using a Windows Defender application control policy that helps control which binaries can run on a Windows device.
“The WDAC policy is also enforced for binaries included in the WPBT and should mitigate this problem,” Microsoft says in the support document.
WDAC policies can only be created on client editions of Windows 10 1903 and later and Windows 11 or on Windows Server 2016 and later.
On systems running older versions of Windows, you can use AppLocker policies to control which applications are allowed to run on a Windows client.
“These motherboard flaws can prevent initiatives like Secured-core due to the ubiquitous use of ACPI and WPBT,” added Eclypsium researchers.
“Security professionals need to identify, verify and harden the firmware used in their Windows systems. Organizations will need to consider these vectors and use a layered security approach to ensure that all available fixes are applied and identify any potential compromises on devices.
Eclypsium has found another attack vector that allows malicious actors to take control of the boot process of a targeted device and break OS-level security checks in the BIOSConnect feature of Dell SupportAssist, a software preinstalled on most Dell Windows devices.
As the researchers revealed, the issue “affects 129 Dell models of consumer and business laptops, desktops and tablets, including Secure Boot protected devices and Dell Secured-core PCs.” with around 30 million individual devices exposed to attacks.
