Pierluigi Paganini November 29, 2015

Microsoft has updated its security tools to remove two risky digital certificates installed on some Dell computers that could be exploited by attackers.
The eDellRoot and DSDTestProvider self-signed certificates both contained their private encryption keys that could be extracted by attackers and used to steal personal data, install data-stealing malware, or hijack the PC.

Dell has released software updates to remove both and has published guidelines on how to do it manually, but Microsoft is making sure all its customers are protected.
The updated tools detect and remove the vulnerable certificates from the certificate root store, as well as the affected binaries that might reinstall the vulnerable certificate, Microsoft said in a blog post.
These tools include Windows Defender for Windows 10 and Windows 8.1,  Microsoft Security Essentials for Windows 7 and Windows Vista, Microsoft Safety Scanner and Microsoft Windows Malicious Software Removal Tool.
The Dell certificates were part of the service tools and were aimed at making technical support easier by informing Dell about which product a customer is using.
But the inclusion of the private keys made them vulnerable to abuse by attackers and a significant security risk.
The eDellRoot certificate authority and private key could also allow attackers to sign code, which means they can sign malware as if it was from another company, but it will look legitimate to computers with the eDellRoot certificate authority installed.

This can allow attackers to easily masquerade as legitimate software on Dell computers affected by this issue and, according to Symantec, malware signed with the eDellRoot certificate authority had already started appearing on VirusTotal a day after the vulnerability was made public.
The discovery of the vulnerable security certificates on some Dell PCs has reignited the debate on pre-installed software.
The debate was raised in February 2015 when Lenovo was found to be shipping the Superfish pre-installed adware that made customers vulnerable to HTTPS man-in-the-middle attacks through its use of self-signed root HTTPS certificates.
Security experts say the issue represents a potential security breakdown in the process of laying down the factory operating system image on new laptops.
Andrew Lewman, vice-president of data development at security intelligence firm Norse, said any enterprise should be reloading its operating systems on delivery and not simply using what comes from the factory by default.
“As for protection, all enterprises should block the Dell certificate authority both on the network and on their devices,” he said. “Uninstalling the certificate authority from laptops and desktops should be a matter of a policy update.”
Dell has confirmed that commercial customers who re-imaged their systems without Dell Foundation Services are not affected by this issue. Researchers at security firm Tripwire have published a free tool to enable Dell users to test for the eDellRoot certificate.

you might also like

leave a comment