What the Dell? Laptops shipped with exact security flaw which was advertised …

25 Nov 2015 | Author: | No comments yet »

And then there were two: Another dangerous Dell root certificate discovered.

As part of the promotion of its flagship XPS 15, Dell touts the laptop’s security. “Worried about Superfish?” the product page asks, invoking a now-infamous Lenovo lapse from earlier this year. “Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience … reduced privacy and security concerns.” That messaging remains, even after Dell has experienced a security lapse of its own—one remarkably similar to Superfish.

Dell announced a fix Monday for the “eDellRoot” certificate it installed on laptops and PCs that “unintentionally introduced a security vulnerability risk” to its customers.The plot thickens: After Dell confirmed that one of its support tools installed a dangerous self-signed root certificate and private key on computers, users discovered a similar certificate deployed by a different Dell tool.

Major U.S. computer company Dell Inc said on Monday a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data. A pre-installed program on some newly purchased Dell laptops that can only be removed manually by consumers makes them vulnerable to cyber intrusions that may allow hackers to read encrypted messages and redirect browser traffic to spoofs of real websites such as Google or those belonging to a bank, among other attacks. “The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience,” Dell said in a statement to Reuters. “Unfortunately, the certificate introduced an unintended security vulnerability.” Dell declined to say how many computers or which specific models are affected. This certificate is not being used to collect personal customer information.” The security flaw, which gained popularity as the news spread on Reddit, leaves things such as users’ communications, passwords, usernames and other sensitive information potentially open to “man-in-the-middle” hackers. Dell said it would provide customers with instructions to permanently remove the certificate by email and on its support website, a process that will likely be highly technical.

Dell tells WIRED that the latter could take about to a week to reach all affected models, and the manual method takes a little know-how and a lot of clicking, so your best bet is likely the patch. Security experts told the BBC that the software had two flaws: “It would allow traffic to be intercepted, potentially exposing sensitive information; secondly, the key could be used to make a user’s computer misidentify unsafe connections as safe.” One scenario computer security expert Graham Cluley outlined on his website involves hackers “[hanging] out in hotel lobbies, coffee shops and airport lounges, and [exploiting] the flaw through a silent man-in-the-middle attack, decrypting Wi-Fi communications without the knowledge of the victim.” Dell addressed the issue by including instructions for the certificate’s removal and added that it will be removed from all of its new systems moving forward. In April, a security researcher disclosed a vulnerability that could have allowed a remote attacker to install malware on a computer with the DSD application running.

Tests performed inside a Windows 10 virtual machine revealed that the DSDTestProvider certificate gets left behind on the system when the Dell System Detect tool is uninstalled. It turns out that any commercial or consumer Dell PC that received a software update that began in August 15 has been saddled with something called eDellRoot, a pre-installed SSL certificate with a locally stored private key. An SSL vulnerability is the core problem in both cases, but in Lenovo’s case the offending party was Superfish, pre-installed adware that turned out to be toxic bloat. And over the last two months, Google has publicly shamed Symantec, the world’s largest cybersecurity company, over a bevy of misissued security certificates. As customers become more aware of the importance of security and privacy in their own lives, companies are more inclined to market it, whether they’re Blackphone or Apple (which had its own critical SSL failure revealed last year) or Dell.

There is some demonstrable good in that. “I’m glad vendors talk about the degree of their security,” says Moorhead, “because it puts everyone at the company on notice that they need to be vigilant about it.” The flip side, though, is that these companies may be advertising something that’s increasingly difficult to deliver. The next, its spokesperson is sending out a statement that “We are taking steps to actively address this issue including re-evaluating our processes companywide to ensure we’re providing the utmost security to our customers.” It’s frustrating that Dell thought it had already taken those steps.

Here you can write a commentary on the recording "What the Dell? Laptops shipped with exact security flaw which was advertised …".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site