Security researchers have disclosed an unpatched weakness in Microsoft Windows Platform Binary Table (WPBT) affecting all Windows-based devices since Windows 8 that could be potentially exploited to install a rootkit and compromise the integrity of devices.
“These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables,” researchers from Eclypsium said in a report published on Monday. “These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI [Advanced Configuration and Power Interface] and WPBT.”
WPBT, introduced with Windows 8 in 2012, is a feature that enables “boot firmware to provide Windows with a platform binary that the operating system can execute.”
In other words, it allows PC manufacturers to point to a signed portable executables or other vendor-specific drivers that come as part of the UEFI firmware ROM image in such a manner that it can be loaded into physical memory during Windows initialization and prior to executing any operating system code.
The main objective of WPBT is to allow critical features such as anti-theft software to persist even in scenarios where the operating system has been modified, formatted, or reinstalled. But given the functionality’s ability to have such software “stick to the device indefinitely,” Microsoft has warned of potential security risks that could arise from misuse of WPBT, including the possibility of deploying rootkits on Windows machines.
“Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions,” the Windows maker notes in its documentation. “In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).”
The vulnerability uncovered by the enterprise firmware security company is rooted in the fact that the WPBT mechanism can accept a signed binary with a revoked or an expired certificate to completely bypass the integrity check, thus permitting an attacker to sign a malicious binary with an already available expired certificate and run arbitrary code with kernel privileges when the device boots up.
In response to the findings, Microsoft has recommended using a Windows Defender Application Control (WDAC) policy to tightly control what binaries can be permitted to run on the devices.
The latest disclosure follows a separate set of findings in June 2021, which involved a set of four vulnerabilities — collectively called BIOS Disconnect — that could be weaponized to gain remote execution within the firmware of a device during a BIOS update, further highlighting the complexity and challenges involved in securing the boot process.
“This weakness can be potentially exploited via multiple vectors (e.g., physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc),” the researchers said. “Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.”