According to researchers at Eclypsium, there is a yet to be patched bug in WPBT affecting all Windows-based devices from Windows 8 up that could potentially be exploited to install a rootkit that would lead to the compromising of the integrity of Windows devices. The Eclypsium research team identified a weakness in Microsoft’s WPBT capability that could allow attackers to run malicious code with kernel privileges when a device boots up.
The WPBT functionality was intended to let OEMs include important files, drivers, or executables for the system without the need to modify the Windows image on disk, which technology is used by a number of vendors including Lenovo, ASUS, and many others.
How Microsoft WPBT Bug Could allow attackers Easily Install a Rootkit?
The WPBT feature allows OEMs to modify the host operating system during boot to include vendor-specific drivers, applications, and content.
Now, the bug stems from the fact that though Microsoft requires a WPBT binary to be signed, it accepts an expired or revoked certificate. What this means is that an attacker can sign a malicious binary with a readily available expired certificate. And this process can enable an attacker to install a rootkit compromising the integrity of the device.
The issue affects all Windows-based devices from Windows 8 when the WPBT feature was first introduced, and the attack scenario has been successfully demonstrated on modern, Secured-core PCs that are running the latest boot protections.
How to Mitigate against the Microsoft Windows Platform Binary Table (WPBT) Bug?
Microsoft has recommended that customers should use Windows Defender Application Control (WDAC) policy to tightly restrict what binaries can be permitted to run on the devices, in order to mitigate against the WPBT Bug.
The researchers, however, advices organizations to employ a layered approach to security to ensure that all available bug fixes are applied and to identify any potential compromises to their devices.