The latest Microsoft bug can allow hackers to install Rootkit, researchers discovered an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT). It can affect all Windows-based devices since Windows 8 as it can potentially allow bad actors to install rootkit and compromise the integrity of devices.
Researchers from Eclypsium in a report published on Monday said, “These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables.
These tables can be exploited by attackers with direct physical access, remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI [Advanced Configuration and Power Interface] and WPBT.”
Microsoft introduced WPBT with Windows 8 in 2012, the feature enables “boot firmware to provide Windows with a platform binary that the operating system can execute.”
It allows PC manufacturers to specifically sign portable executables or other vendor-specific drivers. These vendor-specific drivers come as part of the UEFI firmware ROM image and can be loaded into physical memory during Windows initialization and prior to executing any operating system code.
The WPBT allows critical features such as anti-theft software to persist even in scenarios where the operating system has been modified, formatted, or reinstalled. This very ability makes the software “stick to the device indefinitely.” Microsoft did warn about the potential security risks while using WPBT, this includes the possibility of deploying rootkits on Windows machines.
Windows mention in its documentation, “Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).”
Researchers have uncovered the vulnerability to be rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check. Enabling it to permit an attacker to sign a malicious binary with an available expired certificate and when the device boots up runs arbitrary code with kernel privileges.
Microsoft has recommended using a Windows Defender Application Control(WDAC) policy to have control over what binaries to permit on your devices.
The researchers further said, “This weakness can be potentially exploited via multiple vectors (e.g., physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc). Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.”