A New Flaw Was Discovered in the Microsoft Windows Platform Binary Table (WPBT)
The Vulnerability Could Allow Hackers to Install Rootkits on Windows Devices.
Last updated on October 26, 2021
The flaw discovered by the researchers at Eclypsium in the Microsoft Windows Platform Binary Table (WPBT) can be exploited in attacks meant to install rootkits on all Windows computers that were shipped since 2012.
Rootkits are malicious computer programs that penetrate a machine in order to gain administrator or system-level rights.
Rootkits are primarily designed to bypass user authentication measures before a harmful payload arrives, despite their obviously secretive behavior (i.e., they often work in tandem with trojans or other types of viruses).
What Is WPBT?
The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table.
It was introduced by Microsoft in Windows 8 in order to allow its vendors to execute programs every time a device boots.
The mechanism is very important as it can enable OEMs to force install critical software that can’t be bundled with Windows installation media.
Unfortunately, the mechanism can allow attackers to deploy malicious tools.
Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).
The attacks can use various techniques that allow writing to memory where ACPI tables (including WPBT) are located or by using a malicious bootloader, as the BootHole vulnerability can be easily abused.
The Eclypsium research team has identified a weakness in Microsoft’s WPBT capability that can allow an attacker to run malicious code with kernel privileges when a device boots up. This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc).
Generally, it is recommended that customers, who are able to implement application control using WDAC rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
AppLocker can also be deployed as a complement to WDAC to add the user or group-specific rules for shared device scenarios, where it is important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
If you have a system that is running any older Windows releases, you can use the AppLocker policies to control what apps are allowed to run on a Windows client.
Security professionals need to identify, verify and fortify the firmware used in their Windows systems. Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.