Windows bug allows RootKit installation

A vulnerability has been identified in Microsoft Windows systems related to the WPBT (Windows Platform Binary Table) binary table affecting all devices running Microsoft operating systems from Windows 8 onwards, which could potentially be exploited to install rootkits and compromise device integrity.

As detailed in technical reports, these tables can be exploited by an attacker with physical access to the system, with remote access, or through supply chain attacks. The alarming aspect is that these hardware vulnerabilities, particularly affecting the motherboard, would allow malicious actors to bypass operating system security features such as Secured-core.

WPBT enables persistence of critical functionality such as anti-theft software even in scenarios where the operating system has been modified, formatted, or reinstalled. However, given the capability of this feature to have such software “attached to the device indefinitely,” Microsoft has warned of potential security risks that could arise from improper use of WPBT, including the possibility of distributing rootkits across Windows machines. The vulnerability stems from the fact that WPBT can accept a binary signed with a revoked or expired certificate, completely bypassing integrity checks, thereby allowing a malicious actor to sign a malicious binary with an available expired certificate and execute arbitrary code with kernel privileges at device startup. Our Cybersecurity Advisory teams have tracked multiple proof-of-concept implementations demonstrating this attack vector in controlled environments.

Microsoft has recommended using the Windows Defender Application Control (WDAC) feature to strictly limit the binary files that can be executed on devices.