Researchers at Eclypsium recently announced a weakness in Microsoft Windows Platform Binary Table (WPBT) that allows for system level code execution or remote code execution during the boot process, which could allow the installation of rootkits. The flaw applies to any Windows version since Windows 8. WPBT is part of the Advanced Configuration and Power Interface (ACPI) that allows Original Equipment Manufacturers (OEM) such as Dell, Lenovo, ASUS, et al., to create a managed interface between the Windows OS and hardware components on the physical system. However, while WPBT checks for digital signatures, as Microsoft’s policy states “all binaries…must be embedded signed and timestamped,” malicious code using revoked or expired certificates is also accepted regardless of whether it has a valid signature. This also allows malicious insertion of code or files into the Windows OS during the startup process and bypasses Bitlocker disk encryption as well as other elements of the Secured-Core program.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is