Computer manufacturer Dell will begin today with the removal of a certificate that allows users to be attacked, as the company has announced. Since August this year, laptops and desktops from Dell comes with a certificate that contains the private key.
Attackers can use this key to sign malware for example, so it looks like that comes from Dell, and are also man-in-the-middle attacks on HTTPS sites possible. According to Dell, the certificate is no malware or adware. It was deliberately placed on systems to help customers. Through the certificate Dell's help desk can identify the service tag of the system and quickly identify the computer model, operating system and other components.
The computer manufacturer states in a blog posting that the certificate inadvertently introduces vulnerabilities. Something that Dell makes excuses for that. The company now has instructions (docx) put online how the certificate can be removed in question, and will also release an update starting today to remove the certificate. Also, all new systems will be delivered without a certificate. In the blog posting thanked Dell also researchers Hanno Böck, Joe Nord and Kevin Hicks who published about the security issue. Dell customers who want to know whether they are vulnerable to these via this website testing.
Update
"The security and privacy of our customers are of utmost importance to Dell. The recent situation relates to an" on-the-box "support certificate is intended to provide customers a better, faster and simpler support experience. Until Dells regrets the license shall carry an unintended security vulnerabilities along with it. To solve this problem we will provide our customers with instructions to remove this certificate permanently from their systems, "
"We go to the instructions via email on our support website and communicate via our technical support, we go the Certificate of all remove Dell systems that need to be made. Please note:. Business customer an image of their own Managing this issue does not affect systems. Dell does not install any adware or malware. The certificate will not reinstall itself if it is properly disposed of according to the process recommended by Dell. "
It also has CERT Coordination Center (CERT / CC) at Carnegie Mellon University, a warning issued to the certificate. It is also recommended to remove the certificate.
No comments:
Post a Comment