{"id":3257,"date":"2021-09-27T16:43:20","date_gmt":"2021-09-27T11:13:20","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3257"},"modified":"2021-09-27T16:43:21","modified_gmt":"2021-09-27T11:13:21","slug":"microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/","title":{"rendered":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">Security Investigators have discovered a bug in the Microsoft Windows Platform Binary Table (WPBT) that could be harmed in an easy attack to install rootkits on all Windows computers shipped since 2012.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Rootkits are malicious tools threat actors generate to avoid detection by depositing deep into the OS and utilized to completely take over negotiated systems while avoiding the detection. WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced by Microsoft initiating with Windows 8 to permit vendors to run programs every time a device boots.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Although, besides allowing OEMs to force install sensitive software that can\u2019t be wrapped with Windows installation media, this mechanism can also permit the attackers to set up the malicious tools, as Microsoft alerts in its documentation.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cBecause this feature facilitates the ability to endlessly run the system software in the context of Windows, it becomes critical that WPBT-based solutions are as protected as possible and do not reveal Windows users to exploit conditions,\u201d Microsoft explains.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cIn particular, WPBT solutions must not be included malware (i.e. malicious software or unwanted software installed without acceptable user consent).\u201d<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Affects of all Computers Running Windows 8 or Later<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">The deficiency discovers by security investigators is present on Windows computers since 2012, when the feature was initially introduced with Windows 8. Such attacks can use different techniques that permit writing to memory where the ACPI tables (consisting of WPBT) are located or by utilizing a malicious bootloader.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">This can be done by exploiting the BootHole vulnerability that avoids Secure Boot or through DMA attacks from vulnerable peripherals or elements. \u201cThe research team has discovered a weakness in Microsoft\u2019s WPBT capability that can permit a threat actor to execute the malicious code with kernel rights when a devices boots up.\u201d This weakness can be probably exploited through multiple vectors such as physical access, remote, and supply chain and by multiple techniques such as malicious bootloader, DMA, etc.<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Mitigation Measures Build Using WDAC Policies<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">After the researchers alerted Microsoft of the flaw, the software giant suggested using a Windows Defender Application Control Policy which permits controlling what binaries can execute on a Windows device.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cWDAC policy is also enforced for binaries included in the WPBT and should avoid this issue,\u201d Microsoft states in the support document. WDAC policies can only be created on client editions of Windows 10 1903 and later and Windows 11 or on Windows Server 2016 and above.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">On systems running older Windows releases, you can use AppLocker policies to control what apps are allowed to run on a Windows client. &#8220;These motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT,&#8221; Security researchers added.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-image1.jpg\" alt=\"Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-image1\" class=\"wp-image-3259\" width=\"640\" height=\"334\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-image1.jpg 728w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-image1-300x157.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">&#8220;Security professionals need to identify, verify and fortify the firmware used in their Windows systems. Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.&#8221;<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Our security investigators found another vector of attack allowing threat actors to take control of a targeted device&#8217;s boot process and break OS-level security controls in the BIOSConnect feature of Dell SupportAssist, a software that comes preinstalled on most Dell Windows devices.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">As the investigators explained, the issue &#8220;affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs,&#8221; with roughly 30 million individual devices being exposed to attacks.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Investigators have discovered a bug in the Microsoft Windows Platform Binary Table (WPBT) that could be harmed in an easy attack to install rootkits on all Windows computers shipped since 2012. Rootkits are malicious tools threat actors generate to avoid detection by depositing deep into the OS and utilized to completely take over negotiated [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3260,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Security Investigators have discovered a bug in the Microsoft Windows Platform Binary Table (WPBT) that could be harmed in an easy attack to install rootkits on all Windows computers shipped since 2012. Rootkits are malicious tools threat actors generate to avoid detection by depositing deep into the OS and utilized to completely take over negotiated [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-27T11:13:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-27T11:13:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices\",\"datePublished\":\"2021-09-27T11:13:20+00:00\",\"dateModified\":\"2021-09-27T11:13:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\"},\"wordCount\":575,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\",\"url\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\",\"name\":\"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-09-27T11:13:20+00:00\",\"dateModified\":\"2021-09-27T11:13:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited","og_description":"Security Investigators have discovered a bug in the Microsoft Windows Platform Binary Table (WPBT) that could be harmed in an easy attack to install rootkits on all Windows computers shipped since 2012. Rootkits are malicious tools threat actors generate to avoid detection by depositing deep into the OS and utilized to completely take over negotiated [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-09-27T11:13:20+00:00","article_modified_time":"2021-09-27T11:13:21+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/09\/Microsoft-WPBT-Bugs-Allow-Threat-Actors-to-Install-Rootkits-on-Windows-Devices-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices","datePublished":"2021-09-27T11:13:20+00:00","dateModified":"2021-09-27T11:13:21+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/"},"wordCount":575,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/","url":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/","name":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-09-27T11:13:20+00:00","dateModified":"2021-09-27T11:13:21+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/microsoft-wpbt-bug-allow-threat-actors-to-install-rootkits-on-windows-devices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft WPBT Bug Allow Threat Actors to Install Rootkits on Windows Devices"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3257"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3257"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3257\/revisions"}],"predecessor-version":[{"id":3261,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3257\/revisions\/3261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3260"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}