Dell security flaw from 2009 affects 'hundreds of millions' of PCs - barrettdards1960

Gordon Mah Ung/IDG

Starting time, the bad news: Security researchers recently discovered five high-hardship flaws in Dell's firmware update driver—and they've been pushed to customer computers of all time since 2009. Now the good news: A fix is already (finally?) ready for hoi polloi who own Dell desktops, laptops, and tablets.

You'll want to capitalise if you're affected, equally the secretive code South Korean won't stay a secret for long.

"These dual high severity vulnerabilities in Dell software could permit attackers to step up privileges from a non-administrator user to gist mode privileges," writes Kasif Dekel, a security department researcher at SentinelOne that sniffed out the exposure. That could rent attackers bypass security software Oregon assault the meshwork of an establishment that deploys Dell PCs. "Over the years, Dingle has discharged BIOS update utilities which contain the vulnerable driver for hundreds of millions of computers (including desktops, laptops, notebooks, and tablets) worldwide."

Yep, that's bad news okay—but it power not be quite as bad Eastern Samoa it sounds. "At this time, SentinelOne has not observed evidence of in-the-risky abuse," Dekel says. The company is withholding its proof-of-concept for the flaws until June 1 to kick in users time to get patched and protected.

Dingle also says that "The vulnerability cannot follow exploited remotely. A malicious actor mustiness first obtain (topical anaestheti) attested access to your device." The penury for an attacker to be physically sitting at your computer greatly reduces the practical reach of potential exploits, though these remain critical flaws that should be patched.

Thereon note, Dell just published a security advisory about the vulnerabilities (collectively identified American Samoa CVE-2021-21551) that offers several methods to reparation the issues. On that point's also a helpful FAQ written in plainer language. You'll need to eradicate the troublesome driver premier, either aside running the Dell Security Advisory Update – DSA-2021-088 utility or past manually removing the vulnerabledbutil_2_3.sys driver. By May 10, Dell's system management apps (such atomic number 3 Dell Overlook Update, Dell Update, and Alienware Update) will also be able to perform the task. Nuking the file eliminates the scourge.

Do it. "While we harbor't seen any indicators that these vulnerabilities have been exploited in the wild up public treasury like a sho, with hundreds of million of enterprises and users presently vulnerable, information technology is inevitable that attackers will seek extinct those that do not take the appropriate action," Dekel says.

Subsequently that, you'll necessitate to install a fixed version of the computer software from Dell if you want to bear on receiving firmware updates. Your system's preinstalled Dell management app should handle the process, but the exact details will devolve on your system's configuration. Squashing a bug from 2009 is complex!

Currently, a fixed Windows 10 number one wood is available, and Dingle says one for Windows 7 and 8.1 systems will cost posted by the end of July. Elderly Dell systems beyond their end-of-lifespan don't look equal they'll be regressive, so be sure to edit that unguarded driver on those. Dell says the driver is only in use by the microcode updater, not other system ironware or software, so removing it shouldn't affect your system's performance in any way.

We strongly commend visiting Dell's DSA-2021-088 security page for full inside information on the complex steps that are potentially needed to plug the hole (and to witness the truly staggering list of affected Dell computers). If you want more details about the flaws themselves, check out SentinelOne's disclosure. And if wholly this vulnerability talk has the bark on the back of your neck crawling, our guide to the optimum Windows antivirus software can help ensure your system's surety is in summit-top shape.

Note: When you purchase something afterwards clicking links in our articles, we may earn a small committee. Interpret our assort tie-in insurance for more details.

Brad Chacos spends his days dig through desktop PCs and tweeting too much.