lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 09:47:26 +0300
From: Jerome Athias <>
To: Kevin Beaumont <>
Subject: Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

Some more info

2015-08-12 14:44 GMT+03:00 Kevin Beaumont <>:
> There will be debate about if this is a vulnerability.  It affects a
> majority of user PCs -- including all Enterprise editions of Windows,
> there is no way to disable it, and allows direct code execution into
> secure boot sequences.  I believe it is worth discussing.
> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.  Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted.  The
> executable code is run under under Session Manager context (i.e.
> This technique is being used by Lenovo and HP to silently deliver
> software, even after systems are completely wiped.  This issue came to
> light in this forum thread:
> Additionally, the code is injected and executed in Windows after the
> Windows kernel has booted - meaning hard drives are accessible.  In a
> HP document - page
> 18 - they reference they use Windows Platform Binary Table to inject
> their code into encrypted systems (e.g. BitLocker) (!!!!).
> It is not possible to disable this functionality.  If you can gain
> access to the BIOS, you can inject code into the Windows boot sequence
> using the documentation linked above.  The BIOS delivered PE code is
> not countersigned by Microsoft.
> Microsoft say: "If partners intentionally or unintentionally introduce
> malware or unwanted software though the WPBT, Microsoft may remove
> such software through the use of antimalware software.  Software that
> is determined to be malicious may be subject to immediate removal
> without notice."
> However, you are relying on Microsoft being aware of attacks.  Since
> the code is executed in memory and not written to disk prior to
> activation, Windows Defender does not even scan the executed code.

Powered by blists - more mailing lists