DELL ISN'T HAVING A GOOD WEEK. A second root certificate has been found on its PCs and laptops, that could leave users' personal information vulnerable to hackers.
The second certificate, called DSDTestProvider, is installed by an application called Dell System Detect (DSD), which users are prompted to download and install when they visit the Dell support website.
Carnegie Mellon University CERT said in an advisory that the flaw allows hackers to create trusted certificates and impersonate sites and launch man-in-the-middle attacks.
"An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA," it said.
"An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data.
"Common attack scenarios include impersonating a web site, performing a [man-in-the-middle] attack to decrypt HTTPS traffic, and installing malicious software. Such an attack involves the hacker intercepting internet traffic between the user's browser and the site they are accessing."
Speaking to the BBC, Dell said that this latest problem affected users who downloaded its Dell System Detect product between 20 October and 24 November 2015.
It said the product was removed from its site once the issue was spotted and a replacement application was made available.
The unearthing of DSDTestProvider comes just days after it was revealed that Dell kit was shipping an eponymous root certificate and private key called eDellRoot.
According to a Reddit post, started is by a person called Rotorcowboy, the CA was found on a brand new Dell XPS 15 laptop after some digging.
"I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA by the name of eDellRoot. With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available (I used NCC Group's Jailbreak tool)," he wrote.
"After briefly discussing this with someone else who had discovered this too, we determined that they are shipping every laptop they distribute with the exact same root certificate and private key, very similar to what Superfish did on Lenovo computers. For those that aren't familiar, this is a major security vulnerability that endangers all recent Dell customers."
Dell fessed up to the problem, and told The INQUIRER that it takes it customer security - and privacy - very seriously, and doesn't throw bloatware onto machineswilly nilly. It is looking into the CA and how, and if it is a bad thing.
"Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers," said the firm.
"We have a team investigating the current situation and will update you as soon as we have more information." µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted