Dell certificates and the next zero-day threat

It’s not enough to outsmart the bad guys. These days, you have to think about what to do when the good guys screw up – like Dell. They just got caught shipping computers with certificates that left users vulnerable to hackers.

The eDellroot certificate blunder allowed attacker’s to sniff out users’ browsing activity and trick them into installing malware. Even worse, this pre-installed SSL certificate automatically reinstalled itself if the users didn’t remove it correctly.

After the vulnerability was uncovered, an array of technical remedies has been published by security firms, explaining how to systematically remove the certificate. Microsoft also stepped in, removing them from the Certificate Trust list.

But that is just part of the story. Researchers from Duo Security believe this is not a one-off event. They  discovered duplicate eDellroot certificates at multiple IP addresses and are sure that Dell has previously distributed identical keys on multiple models.

The Duo Security discovery substantially alters the story. Instead of limiting this to the removal of “X” problematic certificate—something that requires some careful work – the real storyline is even more complex. How do you design a system to automatically remove such a threat – even before there is an attack based on the zero-day vulnerability?

This is the type of situation where the Avira Intelligent Repair System (AIRS) – the Avira Cloud-based system for automatically repairing registry changes — really comes into play. Because Avira users with the suspect certificates didn’t have to do any manual changes to their computers, Avira automatically took care of the process.

The simplified scenario is as follows:

  • One or more modules in the antivirus engine – in the Avira Cloud or the virus definition files – detect a suspicious pattern and alert the Avira backend.
  • If a potential threat is found on the victim computer, AIRS starts to act.
  • AIRS’s RepairRoutine automatically checks all stored certificates in the root container on the individual computer.
  • If there is an issue, as was the case with the suspect eDell root certificate, the RepairRoutine removes the complete entry and no further actions are needed by the customer.

The AIRS has been developed over the past two years by the Avira Virus Labs and our Windows Development Team. Thanks to these new cloud-based RepairRoutines, the Virus Lab is able to react more quickly to upcoming new threats and outbreak. The Avira Intelligent Repair System helped Avira win an “Advanced+” from AV-Comparatives for malware removal and cleanup.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.