Dell admits to Superfish-style certificate flaw

November 24, 2015 // 11:33 a.m.

Tags: #certificate #certificate-authority #dell #insecurity #lenovo #security #self-signed-certificate #superfish #vulnerability

Dell has been found to have installed an insecure, self-signed root certificate on the machines it sells - the same security flaw that drew the ire of Lenovo's customers earlier this year - which allows unlimited man-in-the-middle and malware attacks.

Lenovo was caught installing an insecure advertising-related tool dubbed Superfish back in February, but while its users found the idea of the machine they'd paid for being used to build a recurring revenue stream for the Chinese company there was a bigger issue: a self-signed security certificate, installed by default into the system, which held a copy of its own private key. This certificate was granted full permissions to sign anything on the system, from websites to executables and drivers - allowing ne'er-do-wells to hijack TLS-protected web sessions or install malicious code without so much as a warning message.

It was a major blow for confidence in Lenovo's brand, but now one of its biggest rivals has fallen to the same issue: Dell has confirmed that it, too, has been shipping systems with a pre-installed self-signed and insecure certificate, though it is defending the practice as 'making it easier and faster to service our customers' - the alternate reading of that sentence being somewhat more accurate than Dell may have intended.

'Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,' claimed Dell's Laura Thomas in a blog post published late last night. 'The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.'

Dell has confirmed that it will remove the certificate from all systems through an automated update from today onwards and that it will no longer ship by default with Dell systems. Those who don't want to wait can find manual removal instructions here (DocX warning).
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU