Microsoft WPBT error lets hackers install rootkits on Windows devices
Security researchers have found a vulnerability in the Microsoft Windows Platform Binary Table (WPBT) that could be exploited in simple attacks to install rootkits on all Windows computers shipped since 2012.
Rootkits are malicious tools that threat actors create to evade detection by digging deep into the operating system and used to completely take over compromised systems while they evade detection.
However, this mechanism not only allows OEMs to force the installation of critical software that cannot be bundled with Windows installation media, it can also allow attackers to provide malicious tools, as Microsoft warns in its own documentation.
“Since this feature enables system software to run permanently in the context of Windows, it is important that WPBT-based solutions are as secure as possible and that Windows users do not expose them to exploitable conditions,” explains Microsoft.
“In particular, WPBT solutions must not contain malware (that is, malicious software or unwanted software installed without sufficient user consent).”
Applies to all computers with Windows 8 or higher
The vulnerability found by Eclypsium researchers has been present on Windows computers since 2012, when the feature was first introduced with Windows 8.
These attacks can use various techniques that allow writing to memory where ACPI tables (including WPBT) reside or by using a malicious boot loader.
“The Eclypsium research team has identified a vulnerability in Microsoft’s WPBT capability that could allow an attacker to run malicious code with kernel privileges when a device boots up,” said the Eclypsium researchers.
“This vulnerability can potentially be exploited through multiple vectors (e.g., physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc.).”
Eclypsium has shared the following demo video that shows how this vulnerability can be exploited.
Mitigation measures include the use of WDAC guidelines
After Eclypsium notified Microsoft of the bug, the software giant recommended using one Windows Defender Application Control Policy which can control which binaries can run on a Windows device.
“The WDAC policy is also enforced for binary files contained in the WPBT and should alleviate this problem,” said Microsoft’s support document.
WDAC policies can only be created on client editions of Windows 10 1903 and higher and Windows 11, or on Windows Server 2016 and higher.
On systems running older versions of Windows, you can use AppLocker policies to control which apps can run on a Windows client.
“These motherboard-level deficiencies can prevent initiatives like Secured-Core due to the ubiquitous use of ACPI and WPBT,” added the Eclypsium researchers.
“Security professionals need to identify, verify, and strengthen the firmware used in their Windows systems. Organizations need to consider these vectors and take a layered approach to security to ensure that all available fixes are applied and potential device vulnerabilities are identified. “
Eclypsium has discovered yet another attack vector that allows attackers to take control of the boot process of a target device and break operating system-level security controls in the BIOSConnect feature of Dell SupportAssist, software preinstalled on most Dell Windows devices.
As the researchers revealed, the problem affects “129 Dell models of consumer and business laptops, desktops and tablets, including devices protected by Secure Boot and Dell Secured Core PCs,” with approximately 30 million individual devices being attacked are exposed.