HP patches printer firmware flaw, but leaves customers guessing

HP patches printer firmware flaw, but leaves customers guessing

Laser printerThere’s a serious security vulnerability on some HP LaserJet printers.

The good news is that it’s been patched. The bad news is that you don’t know if your HP LaserJet printer needs the fix – because HP hasn’t told you.

Late last year, owners of HP LaserJet printers were warned that their confidential data could be at risk, because of a security vulnerability in the devices.

Researchers at Columbia University demonstrated to reporters that it was possible for remote hackers to install malicious firmware on certain HP printers, without the owner necessarily realising that they were under attack.

Although there was speculation that affected printers could also be fire hazards, that fear appears to have been overhyped – but there were genuine security concerns raised by the vulnerability.

Here’s a video where the researchers discuss their discovery:

The good news is that HP snuck out a fix for affected printers on December 23, 2011. The bad news is that HP customers have no easy way of knowing if they might need it or not.

HP press release

The normal convention for companies disclosing a flaw, is to document which products are affected and what the risks are if the vulnerability is not patched. That, after all, is useful information for customers and helps them decide if they need to take action.

HP, however, hasn’t provided any details in their press release about which printers are impacted by the vulnerability – which means that you don’t know if you need to update your printer’s driver or not.

Instead, HP recommends that LaserJet owners visit www.hp.com/support and select “Drivers”.

Imagine the millions of people who could waste their time, looking for a driver update when it might be that their printer doesn’t require one. Wouldn’t it have been easy and much *better* for HP to have been a little more open about which of their products suffer from the security issue?

My suspicion is, sadly, that HP’s lack of information and low key response to the security vulnerability will simply mean that many LaserJet owners will be blissfully unaware that they could be at risk, and won’t look for a security update.

Be honest – if you have an HP LaserJet, have you gone looking for a firmware update since December 23rd?

Update:Many thanks to Naked Security’s superb readership, who have managed to dig out a list of affected printers on HP’s website. Of course, it would have been nice if it had been a little easier to find, or linked to from HP’s press release. Never mind, HP. Naked Security’s readers have done the job for you.