As part of the promotion of its flagship XPS 15, Dell touts the laptop’s security. “Worried about Superfish?” the product page asks, invoking a now-infamous Lenovo lapse from earlier this year. “Each application we pre-load undergoes security, privacy, and usability testing to ensure that our customers experience … reduced privacy and security concerns.” That messaging remains, even after Dell has experienced a security lapse of its own—one remarkably similar to Superfish. It might as well stay up, if only as a reminder that security is far easier to promise than it is to achieve. That’s where you’ll find detailed instructions on how to fix your PC’s vulnerability.
You have three options: download a patch, fix it manually, or wait for a software update that Dell pushed out today to fix it for you. Dell tells WIRED that the latter could take about to a week to reach all affected models, and the manual method takes a little know-how and a lot of clicking, so your best bet is likely the patch. Now, then! What exactly is it you were patching? A root certificate problem, as first noticed by programmer Joe Nord. It turns out that any commercial or consumer Dell PC that received a software update that began on August 15 has been saddled with something called eDellRoot, a pre-installed SSL certificate with a locally stored private key.
Because the key is stored on the computer itself, it doesn’t take much for a hacker to acquire it. “The same private key was found on multiple machines, meaning that anybody that has access to it can now use it to impersonate the certificate holder [i.e. the PC owner],” explains Jérôme Segura, senior security researcher at Malwarebytes. “It made matters worse that the password for that key was easily crackable.”