Sep 25, 2021 | Shaoni Ghosh
Researchers discovered an unfixed vulnerability in Microsoft's Windows Platform Binary Table (WPBT), which impacts all Windows-based devices since Windows 8, and may be used to install a rootkit and compromise device integrity.
Every OS is vulnerable to attacks that install fake vendor-specific tables due to loopholes in Windows. Because of the widespread use of ACPI and WPBT, these motherboard-level vulnerabilities may render projects like Secured-core obsolete.Experts claim that attackers with physical access or remote access can misuse these tables.
WPBT is a feature that was first introduced in Windows 8 in 2012 and allows boot firmware to supply Windows with a platform binary that the OS may process.
PC makers can use UEFI to point to certified portable executables or other vendor-specific drivers that are included in the UEFI firmware ROM image and can be loaded into physical memory during Windows boot-up. To put it another way, it enables users to pre-load any OS code before running it on a device.
WPBT is built to keep important functions like anti-theft software running even if the operating system is changed, formatted, or reinstalled.
(Recommended Blog: Security Analytics)
Misuse of the technology, according to Microsoft, might pose a security risk. It also allows the installation of rootkits on computers.
(Must Check: 7 Best Data Security Practices)
WPBT-based solutions must be as safe as feasible, with no vulnerable circumstances for Windows users. Microsoft warns that the Malware (malicious software or undesirable software) must not be deployed without the agreement of the user in WPBT solutions.
(Related Reading: Malware- one of the types of Cyber Threats)
According to TheHackerNews, the WPBT method can accept a signed binary with a revoked or expired certificate to entirely circumvent the integrity check, allowing an attacker to sign a malicious binary with an already accessible expired certificate and run arbitrary code with kernel privileges when the device starts up.
Microsoft has advised applying a Windows Defender Application Limit (WDAC) policy to strictly control what binaries can be allowed to execute on devices in response to the results.Researchers have discovered a second set of flaws in the boot process of devices that may be exploited to achieve remote execution.
The current revelation comes after a different series of findings in June 2021 involving a group of four vulnerabilities known as BIOS Disconnects.