It lets hackers snoop on users’ encrypted Internet traffic
Just as the PC maker addresses a glaring security problem on its computers, another equally bad one surfaces.
Dell’s newest vulnerability, much like the previous one, involves the company installing a self-signed security certificate (a digital credential that authenticates websites) alongside a private key (which sort of serves as a password) on its customers’ computers. The combination, when met with a little reverse engineering, allows any technically savvy attacker to snoop on users’ encrypted Internet traffic, or to steal their sensitive information.
According to a Dell spokesperson, anyone who used the “detect product” function on the company’s support site for the month spanning between Oct. 20 and Nov. 24 is likely affected.
Robert Graham, a security researcher and blogger, recently noted how an attacker could take advantage of this flaw. “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” he wrote. “I suggest ‘international first class’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.”
The newly uncovered flaw affects a security certificate called “DSDTestProvider.” The certificate is installed by one of the company’s applications that interacts with the Dell Support website and comes pre-installed on some Dell computers, called Dell Systems Detect. (More information about the vulnerability is available onthe website of CERT, an Internet security group.)
“In the case of Dell System Detect, the customer downloads the software proactively to interact with the Dell Support website so we can provide a better and more personalized support experience,” wrote Lauren Willard, a Dell spokesperson, in an email to Fortune. She compared the resulting issue to the same one that affected “eDellRoot,” the security-compromising certificate that Dell customers initially identified on their machines over the past weekend.
“Like eDellRoot, the support certificate in question was designed to make it faster and easier for our customers to get support,” the spokesperson said. “The application was removed from the Dell Support site immediately and a replacement application without the certificate is now available. We are proactively pushing a software update to address the issue and have provided instructions to remove this certificate below.”
This is not the first time that Dell Systems Detect has caused a security issue. The cybersecurity firm Malwarebytes discovered earlier this year that the application was vulnerable to remote code execution attacks, which allow attackers to gain full control of affected machines. (Dell quickly fixed the tool.) Other security incidents affecting the application are documentedon Dell’s website.
Dell customers looking to remedy this newest vulnerability, as well as the earlier one, should follow the instructions provided by Dell on its website.
Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.