Security researchers disclosed that an unpatched vulnerability in WPBT could allow hackers to install a rootkit and compromise device integrity. Read on to know more…
Microsoft’s Windows Platform Binary Table (WPBT) has an unpatched vulnerability that affects all Windows-based devices starting with Windows 8. This security vulnerability has the potential to install a rootkit and jeopardise the integrity of the device.
Eclypsium researchers stated in a report that these flaws expose all Windows devices to attacks that install dubious vendor-specific tables. Attackers can use direct physical access, remote access, or through manufacturer supply chains to exploit these tables. These motherboard-level vulnerabilities might render initiatives like Secured-core ineffective due to the widespread use of ACPI (Advanced Configuration and Power Interface) and WPBT.
Researchers from Eclypsium said in a report published on Monday, “These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables,”
“These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI [Advanced Configuration and Power Interface] and WPBT.”
The Crucial WPBT
WPBT is a feature that was initially introduced in Windows 8 in 2012, allowing the Windows operating system to receive a platform binary that it may run. In other words, it allows PC manufacturers to refer to certified portable executables or other vendor-specific drivers included in the UEFI firmware ROM image so that they can be loaded into physical memory before any operating system code is executed during Windows initialization.
The main purpose of WPBT is to retain important features like anti-theft software in place. However, Microsoft has warned that exploiting WPBT could lead to security vulnerabilities, such as the deployment of rootkits on Windows computers, because the functionality allows such malware to “stick to the device permanently.”
Because the WPBT feature allows system software to run in Windows, it’s critical that WPBT-based solutions are secure and don’t allow Windows users to vulnerable situations. Malware must not be present in WPBT solutions in particular i.e. malicious or unwanted software installed without the proper consent of user.
Flaw in WPBT
The vulnerability was uncovered because the WPBT mechanism can accept a signed binary with a revoked or expired certificate, evading the integrity check entirely. As a result, a hacker can sign a malicious binary with an expired certificate and run arbitrary code with kernel privileges when the device boots up.
As a result of the findings, Microsoft recommends using a Windows Defender Application Limit policy to rigorously regulate which binaries can run on the devices.
This flaw can be exploited in a variety of ways (e.g., physical access, remote access, and supply chain) and using a variety of methodologies (e.g., malicious bootloader, DMA, etc.). Organizations should investigate these vectors and implement a tiered approach to security to ensure that all available fixes are deployed and any possible device breaches are identified.
Microsoft notes in its documentation “Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions,”
“In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).”
Microsoft has recommended using a Windows Defender Application Control (WDAC) policy to strictly restrict what binaries can be allowed to run on the devices, in response to the findings.