Researchers discovered an unpatched vulnerability in Microsoft’s Windows Platform Binary Table (WPBT), which affects all Windows-based devices starting from Windows 8. It may be used to install a rootkit and compromise device integrity.
In a report, Eclypsium researchers said that these vulnerabilities make all Windows devices vulnerable to attacks that install fake vendor-specific tables. Attackers can abuse these tables with direct physical access, remote access, or through manufacturer supply chains. Because of the widespread use of ACPI [Advanced Configuration and Power Interface] and WPBT, these motherboard-level vulnerabilities might negate initiatives like Secured-core.
WPBT is a feature that was first introduced in Windows 8 in 2012 and allowed Windows to receive a platform binary that the operating system may run. In other words, it enables PC makers to refer to certified portable executables or other vendor-specific drivers included in the UEFI firmware ROM image so that they may be loaded into physical memory during Windows initialization and before the execution of any operating system code.
WPBT’s primary goal is to keep essential features like anti-theft software in place. However, because the functionality allows such software to “stick to the device permanently,” Microsoft has warned the exploitation of WPBT might result in security issues, such as the deployment of rootkits on Windows computers.
As this feature allows system software to run persistently in the context of Windows, it’s crucial that WPBT-based solutions are safe and don’t expose Windows users to vulnerable situations. WPBT solutions, in particular, must not contain malware (i.e., malicious or unwanted software installed without proper user consent).
The flaw discovered stems from the fact that the WPBT mechanism can accept a signed binary with a revoked or expired certificate, bypassing the integrity check altogether. This way, it allows a hacker to sign a malicious binary with a previously expired certificate and run arbitrary code with kernel privileges when the device starts.
In response to the results, Microsoft has advised adopting a Windows Defender Application Limit policy to strictly control what binaries can execute on the devices.
This vulnerability may be exploited in various ways (e.g., physical access, remote access, and supply chain) and using multiple methods (e.g., malicious bootloader, DMA, etc.). To ensure that all available patches are deployed, and any possible device breaches are identified, organizations should examine these vectors and adopt a tiered approach to security.