WPBT function of Microsoft operating system is exposed to high-risk vulnerability – Windows 8 and above can be implanted by hackers into rootkit

Security researchers at firmware security firm Eclypsium have discovered a vulnerability in Microsoft’s Windows Platform Binary Table (WPBT) that could be exploited to install a rootkit on all Windows computers released since 2012. Rootkits are malicious tools that threat actors evade detection by sneaking invisibly within an operating system and use to take over a compromised system completely. WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table, introduced by Microsoft starting with Windows 8, that allows vendors to execute programs every time the device boots.

However, in addition to allowing OEMs to force the installation of critical software that cannot be bundled with Windows installation media, this mechanism also allows attackers to install malicious tools, as Microsoft warns in its own documentation.

This feature is designed to allow OEMs to include important files, drivers or system executables without modifying the Windows image on disk. Lenovo (Lenovo), ASUS (ASUS) and many other manufacturers have used this technology. However, by executing files and modifying the operating system, this type of functionality can be viewed as a vendor-specific rootkit. Acclaimed researcher and co-author of Windows Internals, Alex Ionescu, has been calling out WPBT as a rootkit danger back in 2012, and it continues to this day.

“Because this feature provides the ability to continuously execute system software in a Windows environment, it is critical that a WPBT-based solution is as secure as possible without exposing Windows users to exploitable conditions,” Microsoft explained.

“In particular, WPBT solutions must not include malware (i.e. malware or unnecessary software installations without adequate user consent).”

Affects all computers running Windows 8 and above

Eclypsium researchers found that the flaw has existed on Windows computers since the feature was first introduced in Windows 8 in 2012. These attacks can use various techniques that allow data to be written to memory where ACPI tables (including WPBT) reside, or use malicious bootloaders.

This can be caused by abusing a boohole vulnerability that bypasses Secure Boot or through a DMA (DIRECT MEMORY ACCESS, Direct Memory Access) attack from a vulnerable peripheral or component.

“The Eclypsium research team has identified a weakness in Microsoft’s WPBT functionality that could allow an attacker to run malicious code with kernel privileges at device boot,” said the Eclypsium researchers.

“This vulnerability can be exploited through multiple vectors (eg physical access, remote and supply chain) and multiple techniques (eg malicious bootloaders, DMA, etc.).”

Mitigations include the use of WDAC policies

After Eclypsium informed Microsoft of the vulnerability, the software giant suggested the use of the Windows Defense Application Control Policy (WDAC), which allows control over which binaries can run on Windows devices.

“The WDAC policy is also enforced for binaries included in WPBT and should mitigate this issue,” Microsoft said in a support document.

WDAC policies can only be created on Windows 10 1903 and later, Windows 11, or Windows Server 2016 and later clients.

On systems running older versions of Windows, you can use AppLocker policies to control which applications can run on Windows clients.

The Eclypsium researchers added: “These board-level flaws could avoid moves like Secured-core due to the widespread use of ACPI and WPBT.”

“Security professionals need to identify, validate and harden the firmware used in Windows systems. Organizations need to consider these vectors and adopt a layered security approach to ensure that all available fixes are applied and to identify any potential harm to the device .”

Eclypsium discovered another attack vector that allows threat actors to control the boot process of a targeted device and compromise OS-level security controls in Dell SupportAssist’s BIOSConnect feature. Dell SupportAssist is pre-installed software on most Dell Windows devices.

As the researchers revealed, the issue “affects 129 Dell models of consumer and commercial laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secure Core PCs,” roughly 30 million units Personal devices are exposed to attack.

Vulnerabilities in Dell computers were reported three months ago. 30 million Dell PC owners beware: You’ve been targeted by hackers

The Links:   MBRT400100 GP377-LG41-24V COMPONENTS