HP firmware to 'mitigate' LaserJet vulnerability
The company says it's issuing a firmware update to address a "certain type of unauthorized access" to some LaserJet printers, and insists no customers have complained of unwanted access.
Hewlett-Packard said today that it has taken steps to prevent a "certain type of unauthorized access" to LaserJet printers.
The company didn't describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word "mitigate," the dictionary definition of which is "to make less severe or painful." Here's HP's full statement on the matter:
HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.
Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said "there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers."
At that time, it described the nature of the problem and promised a firmware update to address the issues:
The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP also at that time decried "speculation" that the LaserJets in question could catch fire because of a firmware update or "this proposed vulnerability."
Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.