Dell owns up to eDellroot fake cert security gaffe

Global PC vendor Dell has acted quickly to allay security concerns arising from a fake certificate authority (CA) installed on its computers, and says it will remove it through a software update.

The eDellRoot CA could be used to sign digital credentials and code that would then wrongly be trusted by user software such as web browers. This means they could be used by attackers for silent interception of secure sockets layer/transport layer security (SSL/TLS) protected traffic.

Corporate communications staffer Laura Thomas said the CA is part of the Dell Foundation Services support software package.

The purpose of eDellRoot is to provide a system service tag to Dell support representatives, to speed up the process when customers needed help with their systems, Thomas said.

Dell has been compared to Lenovo, which shipped consumer PCs running the Superfish adware that utilised similar, bogus digital credentials, creating customer outrage earlier this year.

While recognising that eDellRoot created a security vulnerability, Thomas pointed out it isn't malware or adware, and that it wasn't used to collect personal information from customers.

"Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it," Thomas wrote.

To get rid of the self-signed root certificate, Dell customers have the option of waiting for a software patch to be rolled out over the coming days, or downloading and running the fix themselves.

It is also possible to remove eDellRoot certificate manually, by first stopping the Dell Foundation Services background service, deleting the "Dell.Foundation.Agent.Plugins.eDell.dll file in the C:\Program Files\Dell\Dell Foundation Services" directory, and then using the Windows certificate manager utility to expunge the fake credential.