Superfish-style Certificates Installed by Dell Support Tools


Two dangerous self-signed digital certificates related to two different Dell tools were discovered just days apart from one another. Both certificates are related to Dell’s customer support applications. The first certificate, which is called eDellRoot, was originally created in April this year and was added to Dell consumer and commercial devices last August to provide better customer support by allowing the master key to verify a computer’s identity during support sessions. The second certificate, DSDTestProvider, is related to an application called Dell System Detect, which is installed when users click the “Detect Product” button on the Dell support website.

Security researchers discovered that both eDellRoot and DSDTestProvider introduced an unintended vulnerability that is reminiscent of the Superfish adware program that hit Lenovo in February. Dell’s case, however,differs from Superfish since there’s no indication that the two certificates are planting ads on the computers—but the security problem is similar.

Because these private keys are stored locally,   anyone can create a forged version of the signing key for any website—one that's trusted by browsers like Google Chrome or Internet Explorer that use the Windows certificate store on affected laptops and desktops. The flaw exposes users to SSL attacks that could lead to stolen credit card numbers, passwords, and other sensitive information. Additionally, the root certificate can reinstall itself even when deleted and can be used as well to sign programs, allowing attackers to disguise malware as legitimate apps.

Dell has responded to concerns regarding the eDellRoot certificate and is now providing all customers with removal instructions and an uninstaller tool. They’ve also promised to release a software update that will check for the existence of eDellRoot in systems. However, they have yet to release any statement about DSDTestProvider. For now, Dell users who have installed Dell System Detect are advised to revoke the DSDTestProvider certificate.  Trend Micro Deep Security can detect if the eDellRoot certificate is installed with the following DPI rule: 1005040-Identified Revoked Certificate Authority In SSL Traffic.txt

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.