HP patches printer firmware flaw, but leaves customers guessing

Filed Under: Data loss, Featured, Malware, Vulnerability

Laser printerThere's a serious security vulnerability on some HP LaserJet printers.

The good news is that it's been patched. The bad news is that you don't know if your HP LaserJet printer needs the fix - because HP hasn't told you.

Late last year, owners of HP LaserJet printers were warned that their confidential data could be at risk, because of a security vulnerability in the devices.

Researchers at Columbia University demonstrated to reporters that it was possible for remote hackers to install malicious firmware on certain HP printers, without the owner necessarily realising that they were under attack.

Although there was speculation that affected printers could also be fire hazards, that fear appears to have been overhyped - but there were genuine security concerns raised by the vulnerability.

Here's a video where the researchers discuss their discovery:

The good news is that HP snuck out a fix for affected printers on December 23, 2011. The bad news is that HP customers have no easy way of knowing if they might need it or not.

HP press release

The normal convention for companies disclosing a flaw, is to document which products are affected and what the risks are if the vulnerability is not patched. That, after all, is useful information for customers and helps them decide if they need to take action.

HP, however, hasn't provided any details in their press release about which printers are impacted by the vulnerability - which means that you don't know if you need to update your printer's driver or not.

Instead, HP recommends that LaserJet owners visit www.hp.com/support and select "Drivers".

Imagine the millions of people who could waste their time, looking for a driver update when it might be that their printer doesn't require one. Wouldn't it have been easy and much *better* for HP to have been a little more open about which of their products suffer from the security issue?

My suspicion is, sadly, that HP's lack of information and low key response to the security vulnerability will simply mean that many LaserJet owners will be blissfully unaware that they could be at risk, and won't look for a security update.

Be honest - if you have an HP LaserJet, have you gone looking for a firmware update since December 23rd?

Update:Many thanks to Naked Security's superb readership, who have managed to dig out a list of affected printers on HP's website. Of course, it would have been nice if it had been a little easier to find, or linked to from HP's press release. Never mind, HP. Naked Security's readers have done the job for you.

, , , , , ,

You might like

16 Responses to HP patches printer firmware flaw, but leaves customers guessing

  1. Sandra Fischer · 970 days ago

    No,I haven't looked for an update since 23 December. I wouldn't be surprised my printer has the flaw since it is always very temperamental when it comes to connectivity.

    • click here · 672 days ago

      I wonder if I need to worry and need to find a new driver. :(

  2. Edward · 970 days ago

    HP did publish a list, but the new firmware isn't available for none of the models. I searched for the new firmware for more than 10 of the LaserJet printers and I couldn't find the "secure" firmware anywhere. Here is the list: http://h20000.www2.hp.com/bizsupport/TechSupport/...

  3. Gary · 970 days ago

    Unfortunately...this is the first I'm hearing of this!! Which means I should probably start looking for an updated driver since I do in fact own an HP LaserJet. I do think it is a bit ridiculous that HP could not give their customers a decent "heads up" and decided to be all vague and nonchalant over the whole ordeal...way to drop the ball HP!! :(

  4. I have checked the version a few minute ago but no updates. I wish HP simply list the printers affected (model numbers).

    Like:

    Affected printer:
    HP 1102w

  5. Sophos Fan · 970 days ago

    I received an email today at 6:30am EST:
    "HP Support Alert!
    HP LaserJet Pro CM1415 Color MFP Series
    HP LaserJet Pro CP1525 Color Printer Series
    HP LaserJet Pro M1536 MFP Series

    A free firmware upgrade is required to keep your ePrint and Print Apps service working. Please go to: http://www.hp.com/go/eprint to download the newest firmware and continue using your ePrint solution. If you do not complete the upgrade, your ePrint and Print Apps may not work after Hewlett-Packard has finished a service upgrade on 1/15/2012. All other product features will continue to work as before. If you have questions, please contact HP Support at http://www.hp.com/support/contacthp."

    Definitely not urgent sounding, or indicative of a security problem!

  6. Keith Furrow · 970 days ago

    Whoa there. Updating the driver (which is installed on your computer) does not patch the firmware on an HP Laserjet printer! Firmware is patched with HP Web Jetadmin or by using the printer's web interface. Also I have never seen firmware on HP's web site in the "drivers" section.

    • LRS · 966 days ago

      In some cases, it can, at least one of the updates for the CM2320 will, without any confirmation, proceed to update the printer's firmware if it's out of date.

      Our IT guy was a bit "wtf" when it happened.

  7. Gavin · 970 days ago

    The main problem I see with HP is that it can already be a huge time-waster identifying which drivers work best for which of their models, especially in a diverse corporate network environment.

    A quick review of this page illustrates that issue:
    http://h20000.www2.hp.com/bizsupport/TechSupport/...

    Now which driver did I pick to get that LaserJet working in the first place?

    HP PCL 6 Driver (non-UPD)
    HP LaserJet Plug and Play package
    Host-based Print/Scan Plug and Play
    HP LaserJet Basic Print and Scan
    HP LaserJet Host-based Basic Driver
    Alternate Windows Vista driver option (select models only)
    Windows Vista driver in compatibility mode (select models only)
    Then if all else fails, there is their Universal Print Driver package

    Who's using what? Does anyone need Postscript? What functionality is used beyond simply printing? Will updating a driver affect customized printing preferences or defaults? Don't forget the shared drivers for other OSs. What if some printers are locally installed in my environment and not shared? Do I have all that accurately documented?

    In short, upgrading an HP driver can be a very very long way removed from "Go to the HP website and click on drivers."

    So I agree -- a list of affected devices would have been extremely useful. But even then, how do I know that my device is vulnerable with the driver choice I used?

    Even better perhaps, releasing firmware upgrades for affected models so the problem could be fixed below the driver level would have been a much more practical fix for us mere customers.

    -- Gavin

  8. Rob · 970 days ago

    It's probably every laserjet ever invented so they dont want the embarressment, they just tell all users generally to update their firmware. :P

  9. Altieres Rohr · 970 days ago

    Graham,

    There's a list of affected HP printers at https://h20565.www2.hp.com/portal/site/hpsc/publi...

    (in case the link breaks, it's HP document HPSBPI02728 SSRT100692).

    Some have the patched firmware, while others require the owner to disable remote firmware updates (which might itself require a firmware update that will not patch the flaw by itself).

    They apparently didn't cite this in their press release. If that was intentional or bad internal communication is up for guessing.

  10. Zach · 970 days ago

    It's not a driver flaw, it's a firmware flaw. It affects all LaserJets, too, so that may be why there are no specific models listed.

    Also, enterprise networks have tools to update the firmware of their printers over the network. I did it all in 2 hours for 156 printers.

  11. roy jones jr · 969 days ago

    Still, HP doesn't clarify anything about a flaw this big? We see why no one really wants to purchase their products anymore.

  12. macgruber · 965 days ago

    I've never bought an HP printer. Never will...

  13. erics · 868 days ago

    What they neglect to mention to you is that, after this urgent firmware update, some functions will cease to operate as they had up to that point.

    When you complain and request some assistance, they will offer to help you for a mere $39. Or you may take it to a local service center.

    Tell me how a company can release a firmware update to repair it's own security flaw, alter functions that had been working up to that point, then request payment to fix the issue?!?

    After having spent $400 on the printer, plus at least $1000 on toner over the last 16 months, I doubt I will ever be purchasing an HP product again. This is, at the very least incompetence, or at worst, extortion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.