30 million Dell devices are ahead of software with “serious” security flaws

Dell Computer at the Microsoft Construction Conference in San Francisco in 2015.

Dell Computer at the Microsoft Construction Conference in San Francisco in 2015.
Photo: Jeff Chiyu (A.P.)

The main security flaw in Dell Firmware Update and Operating System (BIOSConnect) is that it exposes tens of millions of devices that Dell has already installed.

Sleep computer Reported Thursday Researchers at the security company Eclipseum say they have found a defect in BIOSConnect, part of Dell’s standard support software, and will update the software on a computer system that allows attackers to execute malicious code faster. According to the reportThe researchers said that the vulnerability was so severe that it allowed “opponents to control the device’s boot process and unlock the operating system and top-level security controls”, allowing them to control “the most advanced code on the device.”

There are four distinct vulnerabilities, one of which is the secure connection between the BIOS update and the Dell server, which allows the attacker to switch the device to an updated package. The other three are classified as flood-prone. Eclipse rated the bugs as a serious security risk.

Dell has turned on the software 129 different models PC and laptop, Eclipse estimates that up to 30 million individual devices may be vulnerable. As he says To ZDNet, Eclipseum will first notify the manufacturer of the defects in March 2021. The company has fixed two vulnerabilities on the server side and made two adjustments to the remaining, but requires users to update the UEFI on each device. In its report, the Eclipse researchers advise Dell users to stop relying on BIOSConnect software to implement software updates. (More information is available at Dell Consultant here.)

Fortunately, the researchers also point out that the target machine needs to be redirected to malware. That makes it unlikely to be used on random Dell users, but when it comes to large companies with “supply chain and support infrastructure” Researchers who are interested in hackers write: “Unrestricted control of the weapon of this attack is worth the effort of the attacker.”

as a Belling computer suggests, Security researchers have discovered a number of major errors in Dell software in recent years, including in the support system. Researcher Bill Demirkapi a Remote code performance vulnerability Dell fixes one in 2019 update software DLL Search-Command bug Linn 2020 Random code execution. Other vulnerabilities a Remote code execution bug Dell System Investigation In 2015 and DBUtil driver Last month, hackers were able to seize a sealed machine.