Article pic
I was just wondering how many other images you sifted through when searching for 'insecure backdoor'?
Yep. Icon.......
Dell has denied building backdoors into its kit following a security researcher's discovery of an insecure update assistant app. Tom Forbes alleges that the Dell Service Tag Detector app* is so insecure that it creates a backdoor on machines it is installed upon. More specifically, Forbes alleges that the app caries a Remote …
IIRC it's a browser plugin.
The version that's described in the article is not a plugin. It's a little app you download from Dell that runs in the Windows taskbar. The Dell service web page communicates with it over HTTP using Javascript. I think Dell serves a plugin if you're running a browser they support, and the standalone app otherwise.
The quick way to check for the vulnerable version is to look at what's running in the notification area of the taskbar.
...ot any other Dell machine I've had in. Always had to type the tag into the support website to get the accurate data and never bothered with the app as it's quicker to just type it in.
I have to say though, Dell's service tag system is excellent for getting the right drivers/info etc.
Much better than having to rifle through to say an Acer Aspire 5000 then have to navigate through 87 different variants in the hope you got the right one.
It isn't installed by default on any of the machines around here ( >200 Dells). But I did find it on several I've used for diagnostic purposes & image building.
It auto-updates itself and runs at start-up as well... isn't that lovely? Remove it like any other program.
http://www.dell.com/support/Article/us/en/04/576402/EN
This particular vulnerability is due to how the Dell utility receives and authenticates requests, and what types of request it supports. The Lenovo and HP update-helper apps may well have security holes, but they're unlikely to be the same as this one.