HP firmware to 'mitigate' LaserJet vulnerability

The company says it's issuing a firmware update to address a "certain type of unauthorized access" to some LaserJet printers, and insists no customers have complained of unwanted access.

HP printer

Hewlett-Packard said today that it has taken steps to prevent a "certain type of unauthorized access" to LaserJet printers.

The company didn't describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word "mitigate," the dictionary definition of which is "to make less severe or painful." Here's HP's full statement on the matter:

HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said "there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers."

At that time, it described the nature of the problem and promised a firmware update to address the issues:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP also at that time decried "speculation" that the LaserJets in question could catch fire because of a firmware update or "this proposed vulnerability."

Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.

About the author

Jonathan Skillings is managing editor of CNET News, based in the Boston bureau. He's been with CNET since 2000, after a decade in tech journalism at the IDG News Service, PC Week, and an AS/400 magazine. He's also been a soldier and a schoolteacher, and will always be a die-hard fan of jazz, the brassier the better.


Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
The best tech products of 2014
Does this Wi-Fi-enabled doorbell Ring true? (pictures)
Seven tips for securing your Facebook account
The best 3D-printing projects of 2014 (pictures)
15 crazy old phones from a Korean museum (pictures)
10 gloriously geeky highlights from 2014 (pictures)