Win 8's "Windows Platform Binary Table"

[dg1261]

On a recent episode of his "Security Now" podcast, security researcher Steve Gibson discusses the revelation of a motherboard security vulnerability:

Motherboards made by Gigabyte were found to be secretly downloading code that the motherboard would then cause Windows machines to execute. And what was extra disturbing was that the TCP connection over which this download took place was neither authenticated nor encrypted. This meant that it would be trivial for bad guys to intercept these communications to install their own rootkit malware.

Gibson goes on to explain the tech behind the vulnerability:

With the advent of Windows 8, the [ACPI] protocol evolved to include an object called the Windows Platform Binary Table [which] has since been included in every single Windows OS shipped since 2012. In June of 2021, researchers discovered significant flaws in WPBT. These flaws make every Windows system vulnerable to easily crafted attacks that install fraudulent vendor-specific tables. These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-Core and Secure Boot because of the ubiquitous usage of ACPI and WPBT.

So what's this Windows Platform Binary Table? It's a facility which Microsoft first defined and implemented 11 years ago, back in 2012, and it was first supported in Windows 8. It defines a clear, clean, and well-documented means for the platform from which Windows is booted - our motherboards - to provide Windows with its own code, previously stored within its firmware, which Windows, ever since Windows 8, will look for and execute when it's present as part of the Windows boot process.

Now, if your first thought is that this also perfectly describes the operation of a motherboard-based rootkit, you would be correct in your thinking. Because it was foreseeable that advanced motherboards might need to have the capability to reach up into the operating system to take advantage of its rich array of advanced services and connectivity, like downloading and installing their own firmware interface drivers, or perhaps updating their own firmware itself, and since Microsoft did not want motherboards each inventing their own horrible kludges in order to do this, Microsoft formalized this capability in what's known as the Windows Platform Binary Table.

This only affects Windows 8 and later. Gee, kinda makes us laggards clinging to Windows 7 look smart now, doesn't it?

 

[file3456]

Being the computer centric person I am, I already knew about it for some time now. GitHub - Jamesits/dropWPBT: Disables the Windows Platform Binary Table (WPBT) in your UEFI firmware.

I don't trust UEFI either. I think it's loaded with BS shenanigans... I'm glad this motherboard has BIOS and UEFI capability. With newer motherboards your stuck with UEFI unless you use a third-party UEFI/BIOS which are out there and on Github.