When Microsoft announced Windows 10 last September, it promised enterprise-grade security for its “last” version of Windows. Over the past few months since Windows 10’s release there have been some security concerns, mostly due to companies like Lenovo who released proprietary software that put users at risk. Now, it appears as though some of Dell’s latest PCs, shipping with Windows 10, have a security risk analogous to Lenovo’s Superfish exploit.
According to one Reddit user, some of Dell’s latest computers are shipping with a generic security key. This Certification Authorities (CA) key, has the ability to sign server certificates. Essentially, a less than trustworthy individual would be able to create false web certificates for real websites. A user then would be vulnerable to attacks when viewing websites using these fake certificates. The only defense against this would be for users to check each websites’ certificate chain.
Since this exploit has been made public, Dell has made the following statement:
Customer security and privacy is a top concern for Dell. We have a strict policy of minimizing the number of pre-load applications and assessing all applications for their security and usability. Dell has an extensive end-user security practice that develops capabilities and best practices to best protect our customers. We have a team investigating the current situation and will update you as soon as we have more information.
After issuing this statement, Dell is planning to pull the generic certificate from its systems and on new devices while assisting current owners with removing it from their devices.
It is difficult to understand how a company such as Dell could make such a tremendous mistake, especially after Lenovo’s “Superfish” warranted such negative press. Regardless of how secure Microsoft attempts to make Windows 10, the platform can only be as secure as the software OEM’s use on their PCs. It is nice to see that Dell is already taking action to protect its customers, but it is difficult not to question how they could have overlooked such a major security risk. Let us know your thoughts on Dell’s solution in the comments below.