Gov software implant? Not us - never, says hardware giant
http://regmedia.co.uk/2015/01/20/backdoor.jpg?x=648&y=429&crop=124 Mar 2015 at 11:19, John Leyden
Dell has denied building backdoors into its kit following a security researcher's discovery of an insecure update assistant app.
Tom Forbes alleges that the Dell Service Tag Detector app* is so insecure that it creates a backdoor on machines it is installed upon.
More specifically, Forbes alleges that the app caries a Remote Code Execution (RCE) risk which, if true, would create a means for hackers and cyberspies to smuggle malware onto vulnerable systems.
An attacker could trigger the program to download and execute an arbitrary file without any user interaction, according to Forbes.
"The little 'Dell Service Tag Detector' program that they push people to download on the Dell.com website does a lot more than just detect service tags - it gives Dell access to your entire machine, allowing them to download and install software and collect system information without you knowing," Forbes told El Reg.
"Their security check was pretty much "if 'Dell' is in the referrer then do anything they want", so a hacker could trigger a request from "hacker.com/dell" and it would be verified, meaning they could trigger it to download and run any executable from any web address with no prompts, as well as collecting system information and uploading files from the victims computer," he added.
full article
