Security Vulnerability on Dell Computers!

Good Day to You,

November 27, 2015 Update:

I received an update to my previous newsletter from US-CERT. The update narrows down the time frame we need to be aware of concerning this vulnerability:

August 18, 2015 – “Dell Foundation Services (DFS) application”

November 20-23 2015 – “Certificate was preinstalled on some systems”

Below is a paste from the newsletter dated “Friday, November 27, 2015 5:14 PM”.

“The eDellRoot certificate originated from an update to the Dell Foundation Services (DFS) application on August 18, 2015. As of November 23, that update is no longer being provided. The certificate was also preinstalled on some systems November 20–23, 2015. Dell is pushing a DFS software update to remove the vulnerable certificate from affected systems.”

A friend tested the tool

On Thanksgiving Day, we spent time with friends who happen to have two (2) Dell laptops. One of them is my old one. We installed the removal tool on that computer and ran it.

The result was that the tool couldn’t find the file (not an exact quote). The removal tool had no effect on the performance of the laptop. We watch streaming music videos for a good part of the day.

Since this is an older laptop, it isn’t surprising that the tool didn’t find the file. My friend does not allow “automatic updates” on this pc (yes, he does know what he is doing).

We didn’t take the time to test the newer computer, but it does have Windows 10, which automatically updates the Windows Security Patches. I’m not sure about the Dell Application.

End of Update – Original Post is below:

I am straying away from talking about Professional Licensing, or Blogging 101 in this post for a very important public service notice.

This post is directed to anyone who owns a Dell computer.

I just received a newsletter update from one of my Federal Agency website email subscriptions that, as a former Dell computer owner really made me take notice.

I just purchased a new computer that replaced my older Dell laptop. This is too important not to post about it.

The newsletters’ contents are posted on the US-CERT website:

Dell Computers Contain CA Root Certificate Vulnerability – UNITED STATES COMPUTER EMERGENCY READINESS TEAM (US-CERT).

I’m not a particularly technical person, so instead of trying to explain what this security vulnerability is, here is a link to the Vulnerability Note:

Vulnerability Note VU#870761 – Dell Foundation Services installs root certificate and private key (dDellRoot) – Vulnerability Notes Database – Homeland Security.

Digital Encryption Icon By Dustin – Click/tap the image to view the source.
Digital Encryption Icon By Dustin – Click/tap the image to view the source.

REVOKING THE CERTIFICATE

The above Vulnerability Note lists two (2) Solutions:

The webpage talks about how to “Revoke eDellRoot certificate”.

I prefer the other recommendation.

REMOVING THE CERTIFICATE (WHAT I WOULD DO)

The Vulnerability Note lists a way to “Remove eDellRoot certificate” and provides a link to the Removal Tool.

When I clicked on the link in the Vulnerability Note, the tool automatically downloaded. I have copied the link, and you can use it here: DOWNLOAD THE TOOL.

Dell also has this post on their blog:

Response to Concerns Regarding eDellroot Certificate – Direct2Dell – The Official Dell Corporate Blog

ATTACK SCENARIOS

Under “Impact” the Vulnerability Note tells us that “Common attack scenarios include”:

“Impersonating a web site”

“Performing a MiTM attack to decrypt HTTPS traffic” – This can allow an attacker to read all encrypted web browser traffic, like our usernames and passwords.

“Installing malicious software”

I hope those of you who own a Dell computer will take the appropriate steps listed above to keep your computer and privacy safe from attack.

I’m including the Blogging 101 tag with this post, in the hope that this will be of help to the folks at Blogging University as well.

My Best to You
Arth

Author: Arth Strout

Welcome! - Are you like me? - Do you get lost using Twitter? - Do you struggle with Marketing? Wish a non-tech person would "walk through" Issues? - My name is Arthur (Arth for short). I call myself an "Atypical Affiliate Marketer", because I don't like and don't use gimmicks just to earn a buck online. I"m not against "Big Data" or using Automation to help with basic tasks, but not when it dehumanizes us. I'm not an "expert", and my videos are far from perfect, but will be helpful, by sharing what I learn and how I personally feel and deal with challenges we all face as users and Marketers. For instance, you won't find me all over Social Media. I make my home on Twitter @TrendRandom, so "Using Twitter" is one of the subjects you'll find here. Not just using, but how I use Twitter and why what I do isn't always like everyone else. So I hope you'll watch, be helped and inspired. You’ll also find the “All Polls” section. Each user poll question has it’s own page, with the option to answer “yes” or “no”. You’ll find the offer’s claim/promise quoted under each poll with a source link. Please leave a comment, suggestion or request using the “Contact” page. My Best to You Arth Strout 12 Summer St., Apt. 2 Augusta, ME 04330

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s