First, the bad news: Security researchers recently discovered five high-severity flaws in Dell’s firmware update driver—and they’ve been pushed to customer computers ever since 2009. Now the good news: A fix is already (finally?) available for people who own Dell desktops, laptops, and tablets.
You’ll want to take advantage if you’re affected, as the secretive code won’t stay a secret for long.
“These multiple high severity vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” writes Kasif Dekel, a security researcher at SentinelOne that sniffed out the vulnerability. That could let attackers bypass security software or assault the network of an organization that deploys Dell PCs. “Over the years, Dell has released BIOS update utilities which contain the vulnerable driver for hundreds of millions of computers (including desktops, laptops, notebooks, and tablets) worldwide.”
Yep, that’s bad news all right—but it might not be quite as bad as it sounds. “At this time, SentinelOne has not discovered evidence of in-the-wild abuse,” Dekel says. The company is withholding its proof-of-concept for the flaws until June 1 to give users time to get patched and protected.
Dell also says that “The vulnerability cannot be exploited remotely. A malicious actor must first obtain (local) authenticated access to your device.” The need for an attacker to be physically sitting at your computer greatly reduces the practical reach of potential exploits, though these remain critical flaws that should be patched.
Do it. “While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,” Dekel says.
After that, you’ll need to install a fixed version of the software from Dell if you want to continue receiving firmware updates. Your system’s preinstalled Dell management app should handle the process, but the exact details will depend on your system’s configuration. Squashing a bug from 2009 is complicated!
Currently, a fixed Windows 10 driver is available, and Dell says one for Windows 7 and 8.1 systems will be posted by the end of July. Older Dell systems beyond their end-of-life don’t look like they’ll be fixed, so be sure to delete that vulnerable driver on those. Dell says the driver is only used by the firmware updater, not other system hardware or software, so removing it shouldn’t affect your system’s performance in any way.
We strongly recommend visiting Dell’s DSA-2021-088 security page for full details on the complex steps that are potentially needed to plug the hole (and to witness the truly staggering list of affected Dell computers). If you want more details about the flaws themselves, check out SentinelOne’s disclosure. And if all this vulnerability talk has the skin on the back of your neck crawling, our guide to the best Windows antivirus software can help ensure your system’s security is in tip-top shape.
Brad Chacos spends his days digging through desktop PCs and tweeting too much. He specializes in graphics cards and gaming, but covers everything from security to Windows tips and all manner of PC hardware.