Security researcher Tom Forbes has published details of vulnerabilities in a tool provided with Dell laptops and desktop which, he claims, allows an attacker to download and install any arbitrary program.
Following on from the beasting rival Lenovo took from the press earlier this year after it was found to bundle an adware package with consumer-grade laptops that tore a massive security hole in the systems, Forbes' blog post
highlights a major vulnerability in the Dell System Detect utility provided on Dell's various devices. Using this software, Forbes claims, it's possible for an attacker to download and install any arbitrary executable code into the system - a major security concern for Dell's users.
'While investigating this rather innocuous looking program I discovered that it accepts commands by listening for HTTP requests on localhost:8884 and that the security restrictions Dell put in place are easily bypassed,
' Forbes wrote of his research, 'meaning an attacker could trigger the program to download and install any arbitrary executable from a remote location with no user interaction at all.
Forbes contacted Dell regarding the issue late last year, and two months later was advised that the exploit had been closed - something he confirmed with further testing in January. To allow the security patch time to be distributed, Forbes waited until this week to publish the details of the vulnerability.
Speaking to The Register
, Dell denied that the tool represented a back-door into the systems - although it did so using a lightly reworded copy of a statement it issued back in 2013
after German paper Der Spiegel accused the company's devices of playing host to back-doors created by the US National Security Agency (NSA).
Recent Dell systems, and those that have received the software update, are protected against Forbes' vulnerability but the researcher warns that it may simply be harder, rather than impossible, to exploit as a result. 'I don't think Dell should be including all this functionality in such a simple tool and should have ensured adequate protection against malicious inputs,
' Forbes concluded.