Sophos: HP Fumbled LaserJet Security Fix


Security vendor Sophos has complained that Hewlett-Packard could have made it easier to find a list of LaserJet printers affected by a flaw that could expose customers' confidential data to an attacker.

HP released a firmware update Dec. 23 to fix the vulnerability. While Sophos welcomed the patch, the company complained Thursday that HP did not provide an easy-to-find link to the list of printers that needed the update.

"It would have been nice if it had been a little easier to find, or linked to from HP's press release (announcing the fix)," Graham Cluley, senior technology consultant at Sophos, said Thursday in the company's blog.

HP bristled at the complaint, saying a link to the affected printers was in the Security Bulletin, which was "published, available and proactively pushed to customers."

"While the list is readily available, if/when customers have contacted us to request the list or information regarding the firmware update, we have also been personally replying to their requests," HP spokesperson Alison B. Graves said in an e-mail.

Columbia University's Computer Science Department first reported the vulnerability in November. An attacker could exploit the flaw to compromise PCs on a corporate network, the researchers said. A hacker could also bombard a LaserJet with instructions, causing its ink-drying element to heat up to a point to where it could ignite printer paper.

While the potential fire hazard made headlines, Sophos acknowledged that the problem appeared to be "overhyped." Nevertheless, "there were genuine security concerns raised by the vulnerability," Cluley said.