Dell System Detect Vulnerability Raises Ruckus Again
Dell's System Detect tool has been the focus of a fair amount of scrutiny this week, with security vendor Malwarebytes and software firm F-Secure each warning that older versions of the program could put computers' security at risk.
Security researchers warned last month that attackers may be able to exploit a weakness in older versions of Dell System Detect and remotely install malware.
For Stephen Monteros, vice president of business development and strategy at Dell partner Sigmanet, the whole thing is a bit of a nonissue, and the solution is simple: "Upgrade to the new version," he said.
[Related: Dell Jumps Into Crowded Endpoint Security Fray]
"This is one of the reasons they create new versions," Monteros said. He said Sigmanet has been upgrading customers that are on managed services contracts. He said other partners should also be proactive in either notifying customers of the problem, or fixing it under their own contracts.
Sean Sullivan, security advisor with F-Secure, one of the firms that initially warned of the Dell vulnerability, told CRN by email that the fix is simple, indeed. However, "the existing problem is this: unlike Internet Explorer, Adobe Reader, Java, and Flash -- there is no scheduled auto-update," Sullivan said by email.
"The old software will auto-update only if people manually visit dell.com," Sullivan said. "And based on our numbers -- that happens slowly. And so the old software ends up remaining in the wild. Only new computers (and recent updaters) are protected."
Likewise, Adam Kujawa, head of malware intelligence at Malwarebytes Labs, said, "the big reason why Malwarebytes started detecting the vulnerable versions of this tool as a potentially unwanted tool is to make users aware that there is something easily fixed but seriously vulnerable living on their system."
Still, Kujawa wouldn't completely absolve Dell of responsibility.
"The best thing would be for Dell to somehow reach out to each Dell user and deliver an updated version of the tool to them rather than hoping they visit the Dell update site," Kujawa said.
The problem was originally reported to Dell last November, and the company released a patch in early January. The concern now is that many, in fact most, users have not yet updated their computers using the patch provided by Dell.
Malwarebytes estimated that more than 90 percent of users had not updated their computers to activate the patch.
A Dell executive told CRN the original patch mitigated the vulnerability, and that a few weeks ago, the company "implemented an extra layer of security protection to further strengthen the program." Users still must first access Dell System Detect in order for the automatic update to begin.
Dell has issued this statement regarding the vulnerability, the subsequent patch and its effectiveness:
"The security of our systems and customer information is a top priority for Dell. Dell continuously monitors the security landscape of our product ecosystems for reported vulnerabilities and reviews claims against our products. The issue related to Dell System Detect (DSD) was raised last year and has since been remediated. As an added layer of security, when customers access DSD to update their systems, an auto update will occur to ensure potential vulnerabilities are addressed, and a test link will soon be available on the eSupport website so customers can validate that they are using the latest version of DSD."
PUBLISHED APRIL 9, 2015