Security Investigators have discovered a bug in the Microsoft Windows Platform Binary Table (WPBT) that could be harmed in an easy attack to install rootkits on all Windows computers shipped since 2012.

Rootkits are malicious tools threat actors generate to avoid detection by depositing deep into the OS and utilized to completely take over negotiated systems while avoiding the detection. WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced by Microsoft initiating with Windows 8 to permit vendors to run programs every time a device boots.

Although, besides allowing OEMs to force install sensitive software that can’t be wrapped with Windows installation media, this mechanism can also permit the attackers to set up the malicious tools, as Microsoft alerts in its documentation.

“Because this feature facilitates the ability to endlessly run the system software in the context of Windows, it becomes critical that WPBT-based solutions are as protected as possible and do not reveal Windows users to exploit conditions,” Microsoft explains.

“In particular, WPBT solutions must not be included malware (i.e. malicious software or unwanted software installed without acceptable user consent).”

Affects of all Computers Running Windows 8 or Later

The deficiency discovers by security investigators is present on Windows computers since 2012, when the feature was initially introduced with Windows 8. Such attacks can use different techniques that permit writing to memory where the ACPI tables (consisting of WPBT) are located or by utilizing a malicious bootloader.

This can be done by exploiting the BootHole vulnerability that avoids Secure Boot or through DMA attacks from vulnerable peripherals or elements. “The research team has discovered a weakness in Microsoft’s WPBT capability that can permit a threat actor to execute the malicious code with kernel rights when a devices boots up.” This weakness can be probably exploited through multiple vectors such as physical access, remote, and supply chain and by multiple techniques such as malicious bootloader, DMA, etc.

Mitigation Measures Build Using WDAC Policies

After the researchers alerted Microsoft of the flaw, the software giant suggested using a Windows Defender Application Control Policy which permits controlling what binaries can execute on a Windows device.

“WDAC policy is also enforced for binaries included in the WPBT and should avoid this issue,” Microsoft states in the support document. WDAC policies can only be created on client editions of Windows 10 1903 and later and Windows 11 or on Windows Server 2016 and above.

On systems running older Windows releases, you can use AppLocker policies to control what apps are allowed to run on a Windows client. “These motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT,” Security researchers added.

“Security professionals need to identify, verify and fortify the firmware used in their Windows systems. Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.”

Our security investigators found another vector of attack allowing threat actors to take control of a targeted device’s boot process and break OS-level security controls in the BIOSConnect feature of Dell SupportAssist, a software that comes preinstalled on most Dell Windows devices.

As the investigators explained, the issue “affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs,” with roughly 30 million individual devices being exposed to attacks.