Security Vulnerability on Dell PCs is Compared to Superfish

Security Vulnerability on Dell PCs is Compared to Superfish

Dell says it inadvertently shipped new PCs with a potential security vulnerability. This lapse has drawn comparisons to Lenovo’s Superfish fiasco, but there’s one major difference: Dell quickly acknowledged the problem and fixed it.

“Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application on our PCs, unintentionally introduced a security vulnerability,” Dell Chief Blogger Laura P. Thomas writes in a post to the firm’s official corporate blog. “The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it.”

News of the Dell vulnerability originally came via personal blogs andReddit, but gained steam and attention when bigger blogs and professional news organizations picked up the story.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

From a technical standpoint, this problem is indeed very similar to Superfish: Software in the form of a self-signed trusted root certificate is installed by Dell, and it contains a security vulnerability. This vulnerability could be exploited by hackers to usurp HTTPS-encrypted web sites such as banks and services like Google that contain digital identities. So the potential loses are both financial and personal.

And Dell, like Lenovo, felt that it was doing the right thing—in this case, trying to improve customer service—when it fact it was doing the wrong thing for the right reason. You may recall that Lenovo installed malware-like software called Superfish on its PCs, and that it did so ostensibly because it felt that it could provide a better experience for its user. This is a peculiar delusion from which all PC makers suffer to one degree or another. But Lenovo’s decision to inject more relevant advertising on web pages was particularly tone deaf.

Dell seems to have a similar inability to grasp the obvious. Like Lenovo before it, Dell is arguing that the offending software “is not malware or adware.” And in an effort to distance itself from the Superfish fiasco, Dell says that the software “will not reinstall itself once it is properly removed using the recommended Dell process … [and it] is not being used to collect personal customer information.”

The good news? Unlike Lenovo, Dell is at least moving quickly to acknowledge this problem and fix it.

“We have posted instructions to permanently remove the certificate from your system,” Thomas explains. “We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.”

You can download Dell’s removal instructions in Word DOC format.Dell also recommends that anyone who finds security vulnerabilities in its software contact it immediately.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: