Security researchers have found a flaw in Microsoft’s implementation of the Microsoft Windows Platform Binary Table (WPBT) mechanism, which can be exploited to compromise computers running Windows 8 (opens in new tab) and Windows 10 (opens in new tab) operating systems.
Microsoft describes WPBT as a fixed firmware Advanced Configuration and Power Interface (ACPI) table that was introduced with Windows 8 to enable OEMs and vendors to execute programs every time the Windows device boots up.
“The Eclypsium research team has identified a weakness in Microsoft’s WPBT capability that can allow an attacker to run malicious code with kernel privileges when a device boots up,” note (opens in new tab) the researchers.
- Protect your devices with these best antivirus software (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- These are the best ransomware protection tools (opens in new tab)
The researchers backed their claims with a video demonstrating the attacks on a secured-core PC (opens in new tab) running the latest boot protections.
OEM rootkit
The researchers claim that while WPBT has been adopted by popular vendors including Lenovo (opens in new tab), ASUS (opens in new tab), and several others, security researcher and co-author of Windows Internals, Alex Ionescu has flagged the dangers of WPBT as a rootkit as early as 2012.
Eclypsium found the vulnerability in WPBT while working on the BIOSDisconnect vulnerabilities (opens in new tab) it reported earlier this year in June, which exposed Dell devices (opens in new tab) to remote execution attacks.
The WPBT issue stems from the fact that while Microsoft requires a WPBT binary to be signed, it will accept an expired or revoked certificate, giving attackers the opportunity to sign malicious binaries with “any readily available expired certificate.”
“This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc),” the researchers reason.
- These are the best endpoint protection tools (opens in new tab)