Cybersecurity specialists report the detection of a critical vulnerability in Windows Platform Binary Table (WPBT) whose exploitation would allow threat actors to perform great damage on Microsoft systems launched from 2012 by installing rootkits. As some users may already know, a rootkit is a malicious tool used to evade the detection of malicious activity on affected systems, hiding deep inside the system and discreetly controlling multiple critical functions.
WPBT is an ACPI fixed firmware table included in Microsoft since the release of Windows 8 and that allows vendors to run programs every time a device is started. In addition to allowing vendors to force the installation of critical software, this mechanism would also allow threat actors to deploy malicious developments without detection.
In its report, Microsoft explains: “It is critical that WPBT-based solutions are as secure as possible so as not to expose users to potential exploitation scenarios. In particular, WPBT solutions should not include malware.”
As mentioned above, the vulnerability resides in all Windows system computers released since 2012 and its exploitation would allow the use of multiple techniques for writing ACPI tables and the use of malicious bootloaders. Compromise can be made by exploiting the flaw known as BootHole, which disrupts the secure boot of the system by using peripherals and other vulnerable components.
Eclypsium experts, in charge of the finding, point out that the flaw would allow a threat actor to execute malicious code with kernel privileges when the device is started, in addition to pointing out that there is no single attack vector: “Exploitation is possible through physical and remote access thanks to the existence of multiple techniques.”
Upon receipt of the report, Microsoft acknowledged the existence of the flaw and recommended that its users enable the Windows Defender Application Control policy in order to mitigate the risk of exploitation by controlling executable binaries on the system. It is worth mentioning that these policies can only be created in client editions of Windows 10 1903 and later and Windows 11 or in Windows Server 2016, so the company recommended users of earlier versions to use AppLocker policies.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.