Skip to main content

'Hundreds of millions' of Dell PCs threatened by security flaws — what to do [updated]

Best Laptops: Dell XPS 15
(Image credit: Tom's Guide)

Hundreds of millions of Dell desktops, laptops and servers have serious security flaws that could allow malware to take over the machines.

The flaws, five in all, have to do with a system driver dating back to 2009 called dbutil_2_3.sys, which lets the user update a computer's BIOS/UEFI firmware (the low-level motherboard software that starts up a PC) from Windows. 

Newer Dell machines have this flawed driver pre-installed, said Sentinel One researcher Kasif Dekel in a report. Older Dell machines may have installed the driver when the updated their BIOS/UEFI or other firmware. 

All versions of Windows are affected, although Dell machines running Linux should be fine.

What you can do now

To fix this flaw, Dell has released a tool that removes the dodgy system driver. You'll have to input your Dell model name or service tag, and then the tool's web page should provide the correct driver along with the removal tool.

However, we found that not everyone can use the tool. While there's a fix available for our 2018 Dell Latitude 5490, our 2013 Dell XPS 13 (which runs the latest Windows 10 build just fine) is out of luck. 

[Correction: We took a second look at the tool page, which is a bit confusing, and realized that what it actually says is that not all systems, especially many that are out of service, cannot get new drivers to replace the faulty one. But all systems can download and use the tool, which you can find at the bottom of the tool page.]

Dell is promising an "enhanced" version of the firmware-removal-and-update tool on May 10 that may resolve some of the issues above. It's hard to tell because neither Dell's security advisory nor its FAQ about the flawed driver were written with anyone but IT professionals in mind. 

Alternately, Dell says, you can see if the dbutil_2_3.sys driver file is in the filepaths "C:\Users\<username>\AppData\Local\Temp" or "C:\Windows\Temp". 

If it is, then select it and click the Delete key on your keyboard while holding down the Shift key to permanently delete the file.

How the flaws let hackers take over your machine

Dekel isn't explaining exactly how these flaws, grouped together in the single vulnerability listing CVE-2021-21551, can be exploited. 

Sentinel One, Dell and Microsoft agree that they won't divulge the details until users have had some time to patch the flaws. But the upshot is that a local user, even one with limited privileges, can use these flaws to "escalate privileges" and gain full system control.

"The high severity flaws could allow any user on the computer, even without privileges, to escalate their privileges and run code in kernel mode," wrote Dekel in his company's report. "Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products" such as antivirus software.

Kernel mode is a system privilege that even users with administrative privileges — the ability to install, update and delete software — don't normally get. 

This means that malware that infects even the least-privileged user account — say, one belonging to a child — can use these flaws to add new powers and totally take over the system.

Here's a video by Sentinel One that shows one of these exploits in action. The command-line screens show a "weak user" with limited privileges running a program called "exploit.exe" that suddenly gives the "weak user" a whole lot of system privileges.

Dekel said that as of yesterday, when his report was released, there was no indication that any bad guys had used these flaws to attack machines.

Update: Dell clarifies some things

A Dell spokesperson told us that "older Dell machines will be able to use the driver-removal tool" as it exists, and that May 10 is simply when Dell owners will start seeing notifications that they need to run the tool.

We were advised to look at two long lists of devices on the official Dell security advisory, one for models still being supported, the other for those that have reached "end of service life." (Our 2013 XPS 13 didn't seem to be on either list.)

For devices that had reached end of service, the Dell representative said, the user must take one of the three options in Step 1 of the security advisory: run the driver-removal tool as it is, remove the driver manually or wait to be notified on May 10. Removal of the faulty driver must be done after updating the BIOS/UEFI, other firmware or other drivers.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.