Michael Dell, founder and CEO of Dell Inc., onstage during the 2015 Dell World Conference in Austin, Texas, U.S., on Wednesday, Oct. 21, 2015. Dell World gathers business leaders, technologists, developers and designers to share ideas, stories and practices that guide innovative thinking. Photographer: Matthew Busch/Bloomberg
Photograph by Matthew Busch—Bloomberg via Getty Images

Dell Computers Have Another Terrible, Gaping Security Hole

Nov 25, 2015

Just as the PC maker addresses a glaring security problem on its computers, another equally bad one surfaces.

Dell's newest vulnerability, much like the previous one, involves the company installing a self-signed security certificate (a digital credential that authenticates websites) alongside a private key (which sort of serves as a password) on its customers' computers. The combination, when met with a little reverse engineering, allows any technically savvy attacker to snoop on users' encrypted Internet traffic, or to steal their sensitive information.

According to a Dell spokesperson, anyone who used the "detect product" function on the company's support site for the month spanning between Oct. 20 and Nov. 24 is likely affected.

Robert Graham, a security researcher and blogger, recently noted how an attacker could take advantage of this flaw. "If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications," he wrote. "I suggest 'international first class' because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking."

The newly uncovered flaw affects a security certificate called "DSDTestProvider." The certificate is installed by one of the company's applications that interacts with the Dell Support website and comes pre-installed on some Dell computers, called Dell Systems Detect. (More information about the vulnerability is available on the website of CERT, an Internet security group.)

"In the case of Dell System Detect, the customer downloads the software proactively to interact with the Dell Support website so we can provide a better and more personalized support experience," wrote Lauren Willard, a Dell spokesperson, in an email to Fortune. She compared the resulting issue to the same one that affected "eDellRoot," the security-compromising certificate that Dell customers initially identified on their machines over the past weekend.

"Like eDellRoot, the support certificate in question was designed to make it faster and easier for our customers to get support," the spokesperson said. "The application was removed from the Dell Support site immediately and a replacement application without the certificate is now available. We are proactively pushing a software update to address the issue and have provided instructions to remove this certificate below."

This is not the first time that Dell Systems Detect has caused a security issue. The cybersecurity firm Malwarebytes discovered earlier this year that the application was vulnerable to remote code execution attacks, which allow attackers to gain full control of affected machines. (Dell quickly fixed the tool.) Other security incidents affecting the application are documented on Dell's website.

Dell customers looking to remedy this newest vulnerability, as well as the earlier one, should follow the instructions provided by Dell on its website.

Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.

For more about Dell, watch the video below:

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions