{"id":3247,"date":"2021-09-27T14:23:01","date_gmt":"2021-09-27T14:23:01","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3247"},"modified":"2026-06-08T22:57:37","modified_gmt":"2026-06-08T22:57:37","slug":"windows-bug-rootkit-installation","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/windows-bug-rootkit-installation\/","title":{"rendered":"Windows bug allows RootKit installation"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A vulnerability has been identified in Microsoft Windows systems related to the <strong>WPBT<\/strong> (Windows Platform Binary Table) binary table affecting all devices running Microsoft operating systems from Windows 8 onwards, which could potentially be exploited to install <strong>rootkits<\/strong> and compromise device integrity.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"920\" height=\"425\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/LoJax-The-First-Ever-UEFI-Rootkit-Released-920x425-1.jpg\" alt=\"\" class=\"wp-image-3390\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/LoJax-The-First-Ever-UEFI-Rootkit-Released-920x425-1.jpg 920w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/LoJax-The-First-Ever-UEFI-Rootkit-Released-920x425-1-300x139.jpg 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/LoJax-The-First-Ever-UEFI-Rootkit-Released-920x425-1-768x355.jpg 768w\" sizes=\"(max-width: 920px) 100vw, 920px\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">As detailed in technical reports, these tables can be exploited by an attacker with <strong>physical access to the system<\/strong>, with <strong>remote access<\/strong>, or through <strong>supply chain attacks<\/strong>. The alarming aspect is that these hardware vulnerabilities, particularly affecting the motherboard, would allow malicious actors to bypass operating system security features such as <strong>Secured-core<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>WPBT<\/strong> enables persistence of critical functionality such as anti-theft software even in scenarios where the operating system has been modified, formatted, or reinstalled. However, given the capability of this feature to have such software &#8220;attached to the device indefinitely,&#8221; Microsoft has warned of potential security risks that could arise from improper use of WPBT, including the possibility of distributing rootkits across Windows machines. The vulnerability stems from the fact that WPBT can accept a binary signed with a revoked or expired certificate, completely bypassing integrity checks, thereby allowing a malicious actor to sign a malicious binary with an available expired certificate and execute arbitrary code with kernel privileges at device startup. Our <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> teams have tracked multiple proof-of-concept implementations demonstrating this attack vector in controlled environments.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft has recommended using the Windows Defender <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-application-control\/wdac-and-applocker-overview\" class=\"ek-link\">Application Control (WDAC)<\/a> feature to strictly limit the binary files that can be executed on devices.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows kernel-level vulnerability enabling unsigned-driver loading: rootkit installation pathway, exploitation pre-conditions and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":3390,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3244,3243,274,1631,3242,1633],"class_list":["post-3247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-driver-signing","tag-kernel-exploit","tag-privilege-escalation","tag-rootkit-it","tag-windows-rootkit","tag-wpbt-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3247"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3247\/revisions"}],"predecessor-version":[{"id":9887,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3247\/revisions\/9887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3390"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}