December 11, 2015
Microsoft has updated its security tools to remove vulnerable certificates installed on some Dell computers from the certificate root store, as well as the affected binaries that might reinstall the vulnerable certificate.
The eDellRoot and DSDTestProvider self-signed certificates both contained their private encryption keys that could be extracted by attackers and used to steal personal data, install data-stealing malware, or hijack the PC. Dell has released software updates to remove both and has published guidelines on how to do it manually, but Microsoft is making sure all its customers are protected.
The updated tools detect and remove the vulnerable certificates from the certificate root store, as well as the affected binaries that might reinstall the vulnerable certificate, Microsoft said in a blog post. These tool include Windows Defender for Windows 10 and Windows 8.1, Microsoft Security Essentials for Windows 7 and Windows Vista, Microsoft Safety Scanner and Microsoft Windows Malicious Software Removal Tool.
The Windows Defender tool will kill the certificates and the associated Dell.Foundation.Agent.Plugins.eDell.dll plugin that will respawn the certificate.
The Dell certificates were part of the service tools and were aimed at making technical support easier by informing Dell about which product a customer is using.
But the inclusion of the private keys made them vulnerable to abuse by attackers and a significant security risk. The eDellRoot certificate authority and private key could also allow attackers to sign code, which means they can sign malware as if it was from another company, but it will look legitimate to computers with the eDellRoot certificate authority installed.