Microsoft WPBT Flaw Allows Hackers Install Rootkits on Windows


Researchers discovered a hole in the Microsoft Windows Platform Binary Table (WPBT) that could be used to install rootkits on all Windows devices manufactured after 2012.

Rootkits are malicious tools created by threat actors to elude discovery by burrowing deep inside the operating system and being utilised to completely take over vulnerable systems while avoiding detection.

Starting with Windows 8, Microsoft introduced WPBT, a fixed firmware ACPI (Advanced Configuration and Power Interface) table that allows suppliers to run programmes every time a device starts.

However, this approach can allow attackers to deploy malicious programmes, as Microsoft cautions in its own literature, in addition to allowing OEMs to force install important software that can’t be supplied with Windows installation media.

“Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions,” Microsoft explains.

“In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).”

All machines running Windows 8 or later are affected.

Eclypsium researchers discovered a flaw in Windows machines that has existed since 2012, when the feature was initially introduced with Windows 8.

These attacks can make use of a malicious bootloader or various approaches that allow writing to memory where ACPI tables (including WPBT) are stored.

This can be accomplished by exploiting the BootHole vulnerability, which bypasses Secure Boot, or by launching DMA attacks on weak peripherals or components.

“The Eclypsium research team has identified a weakness in Microsoft’s WPBT capability that can allow an attacker to run malicious code with kernel privileges when a device boots up,” Eclypsium researchers said.

“This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc).”

Eclypsium has released the demo video below, which shows how this security weakness can be exploited.

WDAC policies are one type of mitigation measure.

Following Eclypsium’s notification of the flaw, Microsoft advised adopting a Windows Defender Application Control policy to control which binaries can execute on a Windows device.

According to Microsoft’s support article, “WDAC policy is also enforced for binaries included in the WPBT and should mitigate this issue,”

WDAC policies can only be created on Windows 10 1903 and later client editions, as well as Windows 11 and Windows Server 2016 and above.

You can use AppLocker policies to control which programmes are allowed to execute on a Windows client on systems running older Windows versions.

“These motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT,” Eclypsium researchers added.

“Security professionals need to identify, verify and fortify the firmware used in their Windows systems. Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.”

In the BIOSConnect function of Dell SupportAssist, a software that comes preloaded on most Dell Windows computers, Eclypsium discovered another vector of attack that allows threat actors to take control of a targeted device’s boot process and violate OS-level security protections.

The problem “affects 129 Dell types of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs,” according to the researchers, exposing around 30 million devices to attacks.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.