Windows Bug Let Hackers Install RootKits on All Windows-based Devices Since Windows 8

An unpatched vulnerability in Microsoft Windows Platform Binary Table (WPBT) has been identified by the cybersecurity researchers of Eclypsium. 

This bug is continuously attacking all Windows-based devices since Windows 8 could be possibly exploited to install a rootkit as well as to negotiate the integrity of devices.

Moreover, these types of bugs generally make every Windows system weak and unsafe, and threat actors easily-crafts attacks that install fraudulent vendor-specific tables.

WPBT – The OEM Rootkit

However, the Windows Platform Binary Table (WPBT) is an ACPI table that was initially introduced in Windows 8. And ACPI has come with the aim to give the OS more control, WPBT can give the firmware a foothold in the OS. 

This functionality was dedicated to let OEMs incorporate the following things:-

  • Important files
  • Drivers
  • Executables for the system

And it does not require modifying the Windows image on disk, so, this particular technology has been used by a number of vendors that also include Lenovo, ASUS, and many more.

Using and abusing WPBT

On completion of the investigation, the analysts have disclosed regarding BIOSDisconnect in June, and they also revealed a set of four vulnerabilities that enabled them to gain remote execution inside the firmware of a device. 

But, the most interesting as well as important point regarding this attack is that it can be performed on the most recent and secured Dell platforms, including Secured-Core PCs.

Not only this but, negotiating the firmware update process, the authorities are capable of loading their own implant DXE driver that generally controls various boot-related functions.

Attack vectors and scenarios

While it is quite essential to perceive that this vulnerability can be exploited in different ways. This kind of attack is conceivable using any kind of method that can address to memory where the ACPI tables are located. 

There are some attack vectors, and here we have mentioned them below:-

  • Attacker With Physical Access
  • Remote Attacker 
  • Supply Chain Attack


Microsoft here suggests the customers use the “Windows Defender Application Control” (WDAC) as it will help them to limit what is allotted to run on their devices.

As the WDAC policy is also being implemented for binaries incorporated in the WPBT and customers should also mitigate this issue. Moreover, they also recommend customers implement a WDAC policy that is as prohibitive as practical for their environment. 

Organizations must keep their attention on this kind of attack, as it is quite dangerous and can give result in huge damages. And the most important point that makes it dangerous is that it can be exploited by multiple methods.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.