Feeds

HP sneaks out printer firebomb firmware security fix

Says no one has blown up any LaserJets

Top 5 reasons to deploy VMware with Tegile

HP has quietly patched a serious security vulnerability that had left its LaserJet printers open to attack by net villains.

The security bug, first discovered by researchers at Columbia University, created a means for miscreants to install malware on vulnerable devices simply by uploading new firmware to them over a network or tricking users into printing a specially constructed document that installs a malicious firmware update.

The flaw, which stemmed from a failure to ensure firmware updates are digitally signed, could allow hackers to extract files previously printed or scanned by compromised devices, or launch attacks from hacked gear against more sensitive machines from within a corporate network.

Some reports at the time speculated that the same vulnerability could even be used to turn compromised printers into firebombs, although built-in thermal controls are not affected by firmware updates (malicious of otherwise) and ought to prevent this.

HP quietly snuck out a fix for affected printers on 23 December, two days before Christmas, as part of a low-key update. A list of affected devices can be found on HP's website here.

Researchers at Columbia University demonstrated the flaw at the Chaos Computing Congress (28c3) hacker conference in Berlin late last month - a YouTube video is here. ®

Remote control for virtualized desktops

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.