Dell says it inadvertently shipped new PCs with a potential security vulnerability. This lapse has drawn comparisons to Lenovo’s Superfish fiasco, but there’s one major difference: Dell quickly acknowledged the problem and fixed it.
“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,” Dell Chief Blogger Laura P. Thomas writes in a post to the firm’s official corporate blog. “The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”
From a technical standpoint, this problem is indeed very similar to Superfish: Software in the form of a self-signed trusted root certificate is installed by Dell, and it contains a security vulnerability. This vulnerability could be exploited by hackers to usurp HTTPS-encrypted web sites such as banks and services like Google that contain digital identities. So the potential loses are both financial and personal.
And Dell, like Lenovo, felt that it was doing the right thing—in this case, trying to improve customer service—when it fact it was doing the wrong thing for the right reason. You may recall that Lenovo installed malware-like software called Superfish on its PCs, and that it did so ostensibly because it felt that it could provide a better experience for its user. This is a peculiar delusion from which all PC makers suffer to one degree or another. But Lenovo’s decision to inject more relevant advertising on web pages was particularly tone deaf.
Dell seems to have a similar inability to grasp the obvious. Like Lenovo before it, Dell is arguing that the offending software “is not malware or adware.” And in an effort to distance itself from the Superfish fiasco, Dell says that the software “will not reinstall itself once it is properly removed using the recommended Dell process … [and it] is not being used to collect personal customer information.”
The good news? Unlike Lenovo, Dell is at least moving quickly to acknowledge this problem and fix it.
“We have posted instructions to permanently remove the certificate from your system,” Thomas explains. “We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”
You can download Dell’s removal instructions in Word DOC format.Dell also recommends that anyone who finds security vulnerabilities in its software contact it immediately.