STE WILLIAMS

Dell: Yes, we shipped laptops, PCs with a nasty web security hole

Dell says it will publish a guide to remove the web security backdoor it installed in its Windows laptops and desktop PCs.

This confirms what we all know by now – that Dell was selling computers with a rather embarrassing hole it in their defenses.

New models from the XPS, Precision and Inspiron families include a powerful root CA certificate called eDellRoot, which puts the machines’ owners at risk of identity theft and banking fraud.

The certificate is bundled with its private key, which is a boon for man-in-the-middle attackers: for example, if an affected Dell connects to a malicious Wi-Fi hotspot, whoever runs that hotspot can use Dell’s cert and key to silently decrypt the victims’ web traffic. This would reveal their usernames, passwords, session cookies and other sensitive details, when shopping or banking online, or connecting to any other HTTPS-protected website.

Stunningly, the certificate cannot be simply removed: a .DLL plugin included with the root certificate reinstalls the file if it is deleted. One has to delete the .DLL – Dell.Foundation.Agent.Plugins.eDell.dll – as well as the eDellRoot certificate.

Dell said it will post information on how to do this properly on its support website, and future machines will not include the dangerous root CA cert.

In a statement to the media, the Texas-based IT titan said:

The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability.

Dell’s statement added that it started including the root CA certificate with machines in August, although an Inspiron 15 series laptop we bought in July has the certificate on it.

If you’ve got a new Dell, you can check here to see if you the dodgy root CA cert installed. And if you can’t wait for the official advice, you can try deleting the .DLL from the filesystem, and the cert from the Windows certificate manager – or use Mozilla’s Firefox because that web browser has its own set of trusted certificates, and ignores the rogue eDellRoot. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/24/dell_superfish_2/

  • 24/11/2015
  • adm
Comments are closed.