October 3, 2023

Security researchers have found a flaw in Microsoft’s implementation of the Microsoft Windows Platform Binary Table (WPBT) mechanism, which can be exploited to compromise computers running Windows 8 and Windows 10 operating systems.

Microsoft describes WPBT as a fixed firmware Advanced Configuration and Power Interface (ACPI) table that was introduced with Windows 8 to enable OEMs and vendors to execute programs every time the Windows device boots up.

WPBT has been adopted by popular vendors including Lenovo, ASUS, and others. The vulnerability in WPBT found while working on the BIOSDisconnect vulnerabilities which exposed Dell devices to remote execution attacks.

The WPBT issue stems from the fact that while Microsoft requires a WPBT binary to be signed, it will accept an expired or revoked certificate, giving attackers the opportunity to sign malicious binaries with any readily available expired certificate.

This weakness can be easily exploited via multiple vectors (e.g. physical access, remote, and supply chain, Poisoning attacks) and by multiple techniques (e.g. malicious bootloader, Rootkits DMA, etc),

Leave a Reply

%d bloggers like this: