Security Advisor

Microsoft Blocks Dell Certs Due to Security Concerns

The company's included self-signed certificates in some of its shipped hardware could be used to monitor Web traffic.

Microsoft has rejected two Dell certificates due to the concerns that they could be used by attackers against Windows users.

In a security advisory released late on Monday by Microsoft, the company has updated its Certificate Trust List to block what it's calling unconstrained digital certificates from Dell. "One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code," read the advisory. "In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers."

The advisory affects all supported versions of Windows OS and Windows Server, including Windows Phone 8 and will be automatically applied to all users.

Dell's certificate issue came to light last week when a user on Reddit discovered that his new Dell laptop came preinstalled with a self-signed certificate called eDellRoot. With the use of readily available third-party tools, eDellRoot could be used to spy on traffic to any Web site.

Making the matter even worse is that a corresponding private key ships with eDellRoot and is now online for anyone to generate false certificates that could be used to trick Web browsers. The situation draws many parallels to the Lenovo Superfish incident and its admission in February that many of its laptops came preinstalled with certificates that could be used to monitor SSL traffic. Lenovo had claimed it as a feature and was included with the laptops to enhance user shopping experiences.

In its own response released last week, Dell said that the self-signed certificates were included to aid the company in troubleshooting user issues. "The certificate is not malware or adware," the company wrote in a blog post. "Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It's also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

A software update released last week from Dell removed the certificate from affected systems.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube