Researchers at Eclypsium have found a flaw in Microsoft’s WPBT firmware, allowing attackers to install rootkits in the device’s OS.
Researchers have also said that this vulnerability impacts all systems running Windows 8 and later and can be mitigated by controlling what binaries can run on the Windows systems.
A Flaw in Windows PCs Since 2012
While it’s easy to solve bugs in third-party software, it’s hard or almost impossible to mitigate bugs in firmware and hardware. Thus, the best one can do to identify the source and block it to stay immune.
One such vulnerability is discovered by Eclypsium researchers in Windows Platform Binary Table, which attackers can exploit to install rootkits and proceed for further explanations.
Windows Platform Binary Table (WPBT) is a fixed firmware Advanced Configuration and Power Interface (ACPI), allowing vendors to execute system boot programs. This helps supply important updates for patching bugs, which need to be executed while booting up.
At the same time, it can also be helpful for attackers to exploit a Windows machine to the core, as they can exploit any boot vulnerability with kernel access and write their malicious programs to the core OS.
Eclypsium researchers said attackers could exploit this through various means like physical access, remote, and supply chain) and by multiple techniques (e.g., malicious bootloader, DMA, etc.).
This vulnerability affects Windows systems running 8 and later, as when Microsoft introduced Windows Platform Binary Table. This means all the Windows systems running since 2012 can be affected and needs to be secured.
Informing this to Microsoft, the Windows maker has suggested a thin solution – by using Windows Defender Application Control Policy. Users should use the WDAC policy to control what binaries can use the Windows client.
This policy is available in Windows 10 1903 and later and Windows 11 or Windows Server 2016 and above. And on Windows systems running older versions can use AppLocker policies to control the same.
