14 comments

[ 2.6 ms ] story [ 46.7 ms ] thread
Great work.

I remember looking at WPBT years ago as a possible means to achieve cloud-init -like functionality for Windows VMs being deployed on bhyve.

While there is no official mitigation, what's being proposed seems to be modifying the firmware to block vendor content when the code signing certificate is expired. I wonder, what does that mean if I pull mid 2000s ThinkPad out of a dumpster? Assuming WPBT would be handling stuff that's been signed by an expired certificate, would it then boot without the necessary drivers? Could this be a problem for, say, computers preserved for historical reasons, or for evidence/forensics?

To add insult to injury, many modern laptops' CPUs won't boot any firmware but that which has been signed by the vendor.

So, good luck modifying those ACPI tables to get rid of that crap.

Now, thanks to Microsoft, vendor shovelware really is persistent.

Reinstall Windows from a clean official Microsoft image? That shit is still in there.

And it should be safe to assume laptops sold in some countries like China do bundle literal state-mandated rootkits in there.

While I hate the idea of the WPBT "feature", in Microsoft's defense, it was created as a response to vendors like Absolute Software who already were injecting rootkits using their own less reliable methods.
Didn't using FDE have the side effect of protecting you from Absolute Software's rootkits?
This just isn't a defense.

In other sectors of the consumer space, they make updates that make the rootkits not work anymore.

How do you stop a rootkit that's designed into the firmware of the system you're running on?
Not sure if related, but we recently made a new, fresh Windows image for our fleet on a Dell laptop. It auto-updated to include Dell’s “Freefall protection platform” or some such Dellware. I uninstalled it and didn’t think more about it. When we started deploying the image, all machines would auto-install the Freefall crap.
Would this be the feature that's causing my ASUS Motherboard to automatically install ASUS Armoury (some silly OEM app) every time I update my BIOS?

It's frustrating to see more and more control of our machines being taken away and hidden under layers of firmware/hardware/closed source code - especially if it's exploitable like this... It seems like a very short-sighted bug!

However, I could see this feature being somewhat helpful for OEMS (Dell/HP deploying their "support assist" softwares for their devices if it's uninstalled/new copy of Windows.

> Would this be the feature that's causing my ASUS Motherboard to automatically install ASUS Armoury (some silly OEM app) every time I update my BIOS?

maybe? the other option is through window's auto driver update feature, which also runs arbitrary code. see: https://news.ycombinator.com/item?id=28273283

Yes, I believe that feature uses WPBT. On my ASUS motherboard I was able to disable it by turning off "Q-Installer" in the BIOS settings.
i don't think "weakness" is the right word for a rootkit
WPBT = "Windows Protected Boot"
It would be really nice to always spell out the abbreviation once, put in in brackets and then use it afterwards. That would save so many people precious time.