A partial response leaves plenty of room for problems
What happens when a supposedly trusted piece of software creates a major vulnerability in the systems on which it’s installed? Is the software’s publisher responsible? And, if so, what actions should they take?
Over the weekend details emerged about the dangers of a self-signed root certificate and private key, eDellRoot, that was installed on systems by users who merely thought they were using an onsite tool on Dell’s support page. In short, this meant that attackers could take advantage and trick affected systems into declaring unsafe websites as secure and mask malware as it goes about its dirty business. Compounding the issue was the fact that, although the Dell detection tool itself can be removed via the typical means, the dangerous certificate is left behind and has to be manually removed.
This was a serious issue, and to its credit Dell delivered a serious response:
Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability. The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.
The certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.
We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.
Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.
Here’s the sticking point – according to ComputerWorld, Dell has a second problem root certificate named DSDTestProvider. This one was installed on machines of users who used the Dell website’s “Detect Product” tool, and that allows the same sort of access eDellRoot did. And, of course, this one isn’t removed by the typical means either.
Dell’s lack of communication on the second threat is a hindrance to the effectiveness of its post addressing the first. This situation is still developing, but media coverage is already mounting. Dell needs to show a solution, or at least start talking about the problem (quickly!) or its reputation is going to take another hit.
The BCM Blogging Team
www.bernsteincrisismanagement.com