Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second Root Cert-Private Key Pair Found On Dell Computer (threatpost.com)

Posted by timothy on from the layers-and-layers dept.

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

3 of 65 comments (clear)

  1. Re:Wait, they shipped the private key? by gstoddart · · Score: 4, Insightful

    Seriously? If so, that's just too dumb to be malicious...

    Companies are so bad about security these days that I refuse to differentiate between stupidity and malice.

    If they do it to sell ads, or they do it to make support easy but don't have proper security people review it ... I don't see much difference.

    --
    Lost at C:>. Found at C.
  2. Re:Unavoidable by fuzzyfuzzyfungus · · Score: 5, Insightful

    The only consolation is that 'superfish' was clear evil, executed with some degree of effectiveness; while the current Dell thing appears to be unbelievable failure at even the concepts behind safe certificate handling; but without an overt evil objective.

    It is, at least, possible, that stupid will be cured by enough 3rd party testing; but evil is harder to expunge.

    That said, the level of stupid on display here(especially for a company that is supposed to know how to, say, sign and deploy device drivers; and run a website with a secure order form) is pretty terrifying. Bugs are bad; but at least some of them are subtle. Adding a trusted root cert with an easily extractable private key to a huge number of customer systems isn't a 'bug', it's insanity.

  3. Re:Unavoidable by Anonymous Coward · · Score: 2, Insightful

    It's completely avoidable. Do your homework on a new laptop (manufacturer doesn't matter.) Make sure it has good Linux compatibility. Buy it and install your favorite distro. I've been doing this for the past 10 years. It's great because you benefit from the lower price (thanks to all the shovelware) without having to actually live with the shovelware.