Researchers at Eclypsium recently announced a weakness in Microsoft Windows Platform Binary Table (WPBT) that allows for system level code execution or remote code execution during the boot process, which could allow the installation of rootkits. The flaw applies to any Windows version since Windows 8. WPBT is part of the Advanced Configuration and Power Interface (ACPI) that allows Original Equipment Manufacturers (OEM) such as Dell, Lenovo, ASUS, et al., to create a managed interface between the Windows OS and hardware components on the physical system. However, while WPBT checks for digital signatures, as Microsoft’s policy states “all binaries…must be embedded signed and timestamped,” malicious code using revoked or expired certificates is also accepted regardless of whether it has a valid signature. This also allows malicious insertion of code or files into the Windows OS during the startup process and bypasses Bitlocker disk encryption as well as other elements of the Secured-Core program.
Windows Defender Application Control (WDAC) can be used to revoke permission for binaries included in WPBT and is currently recommended by Microsoft in order to mitigate this issue. Documentation for WDAC is available here:
No known attacks using this vulnerability have been reported in the wild as of yet. However, the WPBT vulnerability is exploitable through direct physical access, remote access, or through supply chain attacks. Microsoft has not yet published a security advisory or workaround for this vulnerability beyond recommending the use of WDAC as appropriate for an organization’s risk management framework. A certain level of skill and knowledge will be required to craft targeted code such as malicious bootloaders, but modern threat actors are quickly adopting vulnerabilities and deploying them in the shadow economy via the sale or licensing of weaponized code.