Insecurity Through Your Printer?

It seems that this is so. Who would think that your system could be compromised, from a distance, because of your printer?

Over at PC Advisor, we are given the information that, along with the web based interface that is used, the firmware on certain Hewlett Packard printers can allow the retrieval of information you probably don’t want known.

HP printer owners are being urged to update firmware in a bid to ensure hackers can’t get access to documents previously printed from the device.

HP said that users of certain LaserJet, Color LaserJet and Digital Sender models are affected, and urged them to immediately download and install firmware upgrades.

The devices include 10 different LaserJet models - ranging from the 2410 to the 9050 - two Color LaserJet models and the 9200C Digital Sender, a sheet-fed document scanner.

According to Digital Defense, the security company that reported the problem to HP last October, attackers can exploit a bug in the printers’ web-based control interface to “read arbitrary system configuration files, cached documents, etc”.

Exploiting the vulnerability, the Digital Defense researchers said, is “trivial” with common web server “directory traversal” tactics. A directory transversal attack is an HTTP-based exploit that lets attackers access restricted directories, and execute commands outside of the server’s root directory.

Adrien de Beaupre, an analyst with the SANS Institute ’s Internet Storm Center (ISC), agreed the importance of patching printers. “The impact might not seem severe, as in the attacker can view the printer configuration; however, viewing cached versions of printed documents Can be,” he said in an alert on the ISC site.

Other than patching, the only other defensive measure available is to disable access to the printers’ online control interface, de Beaupre added.

HP listed the affected printers in a security bulletin, which also included instructions on how to download the firmware update.

It can make you glad you own an earlier model, or one from another manufacturer. Still, once patched, all seems to be well.

Check out the site if you own one of the affected printers; the butt you save may be your own. Also, PC Advisor, from the U.K., frequently has a fresh way of looking at something, I check in often, as the entire world doesn’t think alike just yet.

-

Quote of the Day:

Show me a thoroughly satisfied man, and I will show you a failure.
–Thomas Edison