Security researchers have revealed an uncorrected weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could potentially be exploited to install a rootkit and compromise device integrity.
“These flaws make every Windows system vulnerable to easily designed attacks that install fraudulent vendor-specific tables,” Eclypsium researchers said in a report released Monday. “These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard flaws can prevent initiatives like Secured-core. due to the ubiquitous use of ACPI. [Advanced Configuration and Power Interface] and WPBT. “
WPBT, introduced with Windows 8 in 2012, is a feature that allows “boot firmware to provide Windows with a binary platform that the operating system can run.”
In other words, it allows PC manufacturers to point to signed portable executables or other vendor-specific drivers that are part of the UEFI firmware ROM image so that it can be loaded into the physical memory during Windows initialization and before executing any operating system code.
The main goal of WPBT is to allow critical features like anti-theft software to persist even in scenarios where the operating system has been modified, formatted or reinstalled. But given the feature’s ability to have such software “stay on the device indefinitely,” Microsoft has warned of potential security risks that could arise from improper use of WPBT, including the possibility to deploy rootkits on Windows machines.
“Because this feature provides the ability to persistently run system software in the context of Windows, it becomes essential that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. “, notes the manufacturer of Windows in its documentation. “In particular, WPBT solutions must not include malware (that is, malware or unwanted software installed without adequate user consent).”
The vulnerability discovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or expired certificate to completely bypass the integrity check, thus allowing an attacker to sign a malicious binary with a file already available. expired certificate and run arbitrary code with kernel privileges on device startup.
In response to the results, Microsoft recommended using a Windows Defender Application Control (WDAC) policy to tightly control which binaries can be allowed to run on devices.
The latest disclosure follows a separate set of findings in June 2021, which involved a set of four vulnerabilities – collectively known as BIOS Disconnect – that could be militarized to obtain remote execution in a device’s firmware during an upgrade. BIOS update, further highlighting the complexity and challenges involved in securing the boot process.
“This weakness can potentially be exploited through multiple vectors (eg, physical, remote, and supply chain access) and by multiple techniques (eg, malicious boot loader, DMA, etc.),” the researchers said. “Organizations will need to consider these vectors and use a layered security approach to ensure that all available fixes are applied and identify any potential compromises on devices. “