Windows 10 rootkit flaw identified by researchers

WPBT flaw could enable malicious actors to install rootkits on Windows devices

Image:
WPBT flaw could enable malicious actors to install rootkits on Windows devices

Security firm Eclypsium has uncovered a weakness in the Microsoft Windows Platform Binary Table (WPBT) in Windows 8 and 10

Researchers at cyber security firm Eclypsium have uncovered a weakness in the Microsoft Windows Platform Binary Table (WPBT) mechanism that could enable threat actors to install rootkits on machines running Windows 8 and Windows 10 operating systems.

Rootkits are malicious tools used by hackers to gain system-level or admin rights on a computer system. These programs can hide deep in the OS and bypass user authentication measures.

Microsoft WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced in 2012 with Windows 8. It allows vendors and OEMs to modify the host operating system and run programmes each time a Windows device boots up.

The mechanism has been adopted by several vendors including ASUS and Lenovo, which use it to force-install critical software (specific drivers, applications, and content) that can't be bundled with the Windows installation media.

Eclypsium said in a blog post that a security flaw in WPBT could enable hackers to compromise this mechanism and execute 'malicious code with kernel privileges when a device boots up'.

The vulnerability was found when researchers were working on BIOSDisconnect flaws, which exposed Dell devices to remote execution attacks.

The issue arises from the fact that while Microsoft requires a WPBT binary file to be signed, it will accept a revoked or expired certificate

The issue arises from the fact that while Microsoft requires a WPBT binary file to be signed, it will accept a revoked or expired certificate. This allows hackers the opportunity to sign malicious binaries with "any readily available expired certificate".

The weakness is present on Windows computers since 2012, and can be exploited via multiple vectors (remote access, physical access and supply chain) and multiple techniques (direct memory access attacks, malicious bootloader), according to the researchers.

"More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT," they said.

After Eclypsium alerted Microsoft of the vulnerability, the company recommended using a Windows Defender Application Control (WDAC) policy which allows controlling what binaries can execute on Windows machines.

In a support document (docx), Microsoft warns that WPBT-based solutions must be "as secure as possible and should not expose Windows users to exploitable conditions.

"Microsoft recommends customers use Windows Defender Application Control (WDAC) to limit what is allowed to run on their devices," it says.

"WDAC policy is also enforced for binaries included in the WPBT and should mitigate this issue. We recommend customers implement a WDAC policy that is as restrictive as practical for their environment."

Earlier this month, Microsoft released software updates (September 2021 Patch Tuesday) to address dozens of security vulnerabilities in Windows and other products, including a zero-day that was being actively exploited in the wild.

In total, Microsoft plugged a total of 66 security holes across Windows, Office, SharePoint Server, Azure Sphere, Azure Open Management Infrastructure, Visual Studio, BitLocker, Windows DNS and Windows Subsystem for Linux, among other software.

In addition to these flaws, the software giant also addressed 20 Chromium security bugs that existed in its Edge browser software.