Security Advisor

Microsoft Blocks Dell Certs Due to Security Concerns

The company's included self-signed certificates in some of its shipped hardware could be used to monitor Web traffic.

Microsoft has rejected two Dell certificates due to the concerns that they could be used by attackers against Windows users.

In a security advisory released late on Monday by Microsoft, the company has updated its Certificate Trust List to block what it's calling unconstrained digital certificates from Dell. "One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code," read the advisory. "In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers."

The advisory affects all supported versions of Windows OS and Windows Server, including Windows Phone 8 and will be automatically applied to all users.

Dell's certificate issue came to light last week when a user on Reddit discovered that his new Dell laptop came preinstalled with a self-signed certificate called eDellRoot. With the use of readily available third-party tools, eDellRoot could be used to spy on traffic to any Web site.

Making the matter even worse is that a corresponding private key ships with eDellRoot and is now online for anyone to generate false certificates that could be used to trick Web browsers. The situation draws many parallels to the Lenovo Superfish incident and its admission in February that many of its laptops came preinstalled with certificates that could be used to monitor SSL traffic. Lenovo had claimed it as a feature and was included with the laptops to enhance user shopping experiences.

In its own response released last week, Dell said that the self-signed certificates were included to aid the company in troubleshooting user issues. "The certificate is not malware or adware," the company wrote in a blog post. "Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It's also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process."

A software update released last week from Dell removed the certificate from affected systems.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus