Microsoft WPBT flaw lets hackers install rootkits on Windows devices


Level 37
Thread author
Top poster
Feb 4, 2016
Security researchers have found a flaw in the Microsoft Windows Platform Binary Table (WPBT) that could be exploited in easy attacks to install rootkits on all Windows computers shipped since 2012.
Rootkits are malicious tools threat actors create to evade detection by burying deep into the OS and used to fully take over compromised systems while evading detection.

WPBT is a fixed firmware ACPI (Advanced Configuration and Power Interface) table introduced by Microsoft starting with Windows 8 to allow vendors to execute programs every time a device boots.

However, besides enabling OEMs to force install critical software that can't be bundled with Windows installation media, this mechanism can also allow attackers to deploy malicious tools, as Microsoft warns in its own documentation.

Impacts all computers running Windows 8 or later​

The weakness found by Eclypsium researchers is present on Windows computers since 2012, when the feature was first introduced with Windows 8.
These attacks can use various techniques that allow writing to memory where ACPI tables (including WPBT) are located or by using a malicious bootloader.

This can be by abusing the BootHole vulnerability that bypasses Secure Boot or via DMA attacks from vulnerable peripherals or components.