Firmware update mitigates HP's LaserJet printer security problems
HP has released a firmware update for some of its LaserJet printers, aimed at mitigating the risk posed by a vulnerability disclosed in late November. The company stressed that it will be "communicating this proactively to customers and partners" – though not, it seems, just yet, with the press release on the update giving no details of the changes made by HP and failing to reveal which devices the new firmware is available for.
On the affected models, updates have always been supplied without a digital signature. The devices will just accept and install any firmware they are given. A crafted print job sent from a Linux or Mac system can also, in some cases even remotely, be able to trigger a firmware update, allowing an attacker to inject code and take control of the printer.
According to a report by MSNBC, in one test, the University of Columbia researchers who discovered the vulnerability were able to cause the fuser unit to overheat. HP, however, denies that the vulnerability could be used to cause a fire, stating that the presence of a thermal breaker upstream of the fuser prevents overheating.
HP LaserJet users should still keep an eye out for the security update, as they will otherwise be exposed to the risk that their printer could be used to spy on the network to which it is attached. Few administrators would think to firewall a server or other infrastructure off from their own printers.
As in its initial announcement of the problem, in its latest notification, HP is advising users to place their printers behind a firewall, and, where possible, to disable the remote update function. The company has put together a web page containing further security tips. Some of these general recommendations are equally applicable to non-HP printers. The risks posed by attacks on networked printers are not a new issue – other manufacturers have also experienced problems in this area.