Dell admits preinstalling root certificate and pledges to remove it | ZDNet Edition: Asia Australia Europe India United Kingdom United States ZDNet around the globe: ZDNet France ZDNet Germany ZDNet Korea ZDNet Japan Search What are you looking for? Go Videos Windows 10 5G Best VPNs Cloud Security AI more TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums Newsletters All Writers Preferences Community Newsletters Log Out What are you looking for? Go Menu Videos Windows 10 5G Best VPNs Cloud Security AI TR Premium Working from Home Innovation Best Web Hosting ZDNet Recommends Tonya Hall Show Executive Guides ZDNet Academy See All Topics White Papers Downloads Reviews Galleries Videos TechRepublic Forums Preferences Community Newsletters Log Out us Asia Australia Europe India United Kingdom United States ZDNet around the globe: ZDNet France ZDNet Germany ZDNet Korea ZDNet Japan Dell admits preinstalling root certificate and pledges to remove it Out-of-the-box machines from PC giant Dell have been preinstalled with an 'unintended' security vulnerability. By Asha Barbaschow | November 24, 2015 -- 00:38 GMT (16:38 PST) | Topic: Security A root certificate preinstalled in its computers has introduced an "unintended security vulnerability", according to Dell. Dell said commercial customers who image their own systems will not be affected by this issue, and reaffirmed the company does not preinstall any adware or malware on their machines. Latest Australian news Australian government announces 5G working group members Australian government's recklessness with medical data is symptom of deeper problems Turnbull unveils new tech ministers in Cabinet reshuffle ACCC kicks off NBN wholesale service levels inquiry Re-identification possible with Australian de-identified Medicare and PBS open data "Customer security and privacy is a top concern and priority for Dell," a spokesperson said. "We are also removing the certificate from all Dell systems moving forward. "To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site, and technical support." According to German security blogger and journalist Hanno Böck, the root certificate is installed in the system's certificate store under the name "eDellRoot", and is inserted by software called Dell Foundation Services, which is still available for download on Dell's website. The description for the Dell-owned package says it provides foundational services facilitating customer serviceability, messaging, and support functions. "Every attacker can use this root certificate to create valid certificates for arbitrary web pages," he said. "Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies." Dell said the certificate will not reinstall itself once it is properly removed using the recommended Dell process. Related Topics: Hardware Security TV Data Management CXO Data Centers By Asha Barbaschow | November 24, 2015 -- 00:38 GMT (16:38 PST) | Topic: Security Show Comments LOG IN TO COMMENT My Profile Log Out | Community Guidelines Join Discussion Add Your Comment Add Your Comment More from Asha Barbaschow Tech Industry Prime Minister's meeting with Google 'constructive' but he isn't backing down Security Minister says law enforcement to be denied access in new digital ID legislation Tech Industry Microsoft unsurprisingly throws support behind Australia's Media Bargaining Code Tech Industry Greens offer solution to a post-Google Australia: A publicly owned search engine Please review our terms of service to complete your newsletter subscription. By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time. You agree to receive updates, alerts, and promotions from the CBS family of companies - including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy. Continue Newsletters See All See All Related Stories 1 of 3 Every Google Chrome user should click this button now Whether you're using Google Chrome on a Windows system or on a Mac, you should go find and click this button now. Webdev tutorials site SitePoint discloses data breach SitePoint admits data breach after one million user creds were sold on a hacking forum last December. Stop trying to take humans out of security operations The core capabilities of human beings are AI's blind spots; "humanness" is simply not yet ,or possibly ever replicable by artificial intelligence. We have yet to build an effective ... Google Chrome sync feature can be abused for C&C and data exfiltration A security researcher has found a malicious Chrome extension in the wild abusing the Chrome Sync process. Best VPN services in 2021: Safe and fast don't come free Virtual private networks aren't essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe ... Google kills The Great Suspender: here's what you should do next The Great Suspender, an extension that automatically shut down tabs you weren't using, has been blocked by Google "because it contains malware." That's left users with lost tabs ... Woman pleads guilty for using gov’t PC to steal photos of 'snitches' in Iowa The photos were shared in a group dedicated to outing “law enforcement cooperators.” Cisco warns of critical remote code execution flaws in these small business VPN routers But it's not releasing patches for some of the affected devices that reached end of life. Founder of cryptocurrency hedge funds charged over $90 million theft Clients were allegedly lied to when they queried where their funds were being invested. ZDNet Connect with us © 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use Topics Galleries Videos Sponsored Narratives Do Not Sell My Information About ZDNet Meet The Team All Authors RSS Feeds Site Map Reprint Policy Manage | Log Out Join | Log In Membership Newsletters Site Assistance ZDNet Academy TechRepublic Forums