HP patches printer firmware flaw, but leaves customers guessing

Laser printerThere’s a serious security vulnerability on some HP LaserJet printers.

The good news is that it’s been patched. The bad news is that you don’t know if your HP LaserJet printer needs the fix – because HP hasn’t told you.

Late last year, owners of HP LaserJet printers were warned that their confidential data could be at risk, because of a security vulnerability in the devices.

Researchers at Columbia University demonstrated to reporters that it was possible for remote hackers to install malicious firmware on certain HP printers, without the owner necessarily realising that they were under attack.

Sign up to our free newsletter.
Security news, advice, and tips.

Although there was speculation that affected printers could also be fire hazards, that fear appears to have been overhyped – but there were genuine security concerns raised by the vulnerability.

Here’s a video where the researchers discuss their discovery:

[youtube=http://www.youtube.com/watch?v=njVv7J2azY8&rel0&w=500&h=311]

The good news is that HP snuck out a fix for affected printers on December 23, 2011. The bad news is that HP customers have no easy way of knowing if they might need it or not.

HP press release

The normal convention for companies disclosing a flaw, is to document which products are affected and what the risks are if the vulnerability is not patched. That, after all, is useful information for customers and helps them decide if they need to take action.

HP, however, hasn’t provided any details in their press release about which printers are impacted by the vulnerability – which means that you don’t know if you need to update your printer’s driver or not.

Instead, HP recommends that LaserJet owners visit www.hp.com/support and select “Drivers”.

Imagine the millions of people who could waste their time, looking for a driver update when it might be that their printer doesn’t require one. Wouldn’t it have been easy and much *better* for HP to have been a little more open about which of their products suffer from the security issue?

My suspicion is, sadly, that HP’s lack of information and low key response to the security vulnerability will simply mean that many LaserJet owners will be blissfully unaware that they could be at risk, and won’t look for a security update.

Be honest – if you have an HP LaserJet, have you gone looking for a firmware update since December 23rd?

Update:Many thanks to Naked Security’s superb readership, who have managed to dig out a list of affected printers on HP’s website. Of course, it would have been nice if it had been a little easier to find, or linked to from HP’s press release. Never mind, HP. Naked Security’s readers have done the job for you.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.