ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
HR Photos for Marina

Threat Advisory: Critical MS Windows BIOS File Write Vulnerability

Event Summary

Security researchers have disclosed a flaw in the Microsoft Windows Platform Binary Table (WPBT) and the way it handles digital signatures of Original Equipment Manufacturer (OEM) signatures.  Due to this flaw, threat actors are able to perform system level code execution, including the installation of rootkits.   This flaw affects Windows 8 and later.

Details

The Windows Platform Binary Table (WPBT) is part of the Advanced Configuration and Power Interface (ACPI), which allows an Original Equipment Manufacturer (OEM, i.e. Dell, Lenovo, Asus, et al.) to create a managed interface between the Windows OS and the physical hardware components in a computer. This is done in part by checking the digital signatures of the certificates provided by the OEM.  This binary check allows for malicious code with an expired or revoked certificate to be accepted regardless of whether it has a valid signature or not.

Threat actors can take advantage of this by using various techniques that allow them to write directly to memory and install root kits, or implement other code.

This affects all computers running Windows 8 or later.

Recommendations

Microsoft recommends implementing Windows Defender Application Control Policy, which controls what binaries can run on a Windows device. Windows Defender Application Control Policy can revoke permissions for binaries included in the WPBT.

WDAC policies can only be created on client editions of Windows 10 1903 and later, Windows 1 or on Windows Server 2016 and above.

For systems running older Windows releases, AppLocker policies can be implemented to control what applications are allowed to run on a Windows Client.

More information on these controls can be found here.

SOD Actions

Security On-Demand advises implementing all Microsoft mitigations as soon as possible in order to avoid any future incidents.  No active exploitation of this vulnerability has been observed, but it’s only a matter of time before advanced Threat Actors take advantage of this flaw.

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.

If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

Sources

Windows Defender Application Control and AppLocker Overview – Microsoft Docs

Microsoft WPBT Flaw – Bleeping Computer, Security News

Microsoft Vulnerability in WPBT – Binary Defense, Threat Watch