back to article Visiting a booby-trapped webpage could give attackers code execution privileges on HP network printers

Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers. The Finland-headquartered infosec firm said it had found "exploitable" flaws in the HP printers that allowed attackers to "seize control of vulnerable devices …

  1. Paul Crawford Silver badge

    Printers, pre-dating IoT for lax security by many years!

    1. Blackjack Silver badge

      That's because printers also predate the Internet.

      1. Stoneshop

        printers also predate the Internet.

        By several centuries.

        1. Blackjack Silver badge

          Re: printers also predate the Internet.

          Please don't explain the joke.

  2. Anonymous Coward
    Joke

    Malware or just a link to the firmware update site?

    If you want to render your HP printer unusable because you used non-branded toner, or have it stop printing black and white because you've run out of magenta, or because the cartridges have "expired" then all you need do is go to the official HP support site and install the latest firmware.

    Are the researchers really sure that installing the latest firmware is the best course of action when dealing with this new threat?

    1. Pascal Monett Silver badge

      That is not a joke. It is reality.

      1. J. Cook Silver badge

        THis is known as a "damned if you do, damned if you don't" scenario.

        the only proper fix is the throw the printer in the trash* and buy a new one, preferably a different brand that doesn't do that sort of nonsense. (or buy a second hand model that pre-dates said nonsense.)

        * or do like the old 80's vintage tire commercial, and throw the broken printer through the corporate headquarter's shiny windows...

        1. John Brown (no body) Silver badge

          "the only proper fix is the throw the printer in the trash* and buy a new one,"

          Many of the HP MFPs out in the wild may be leased on a pay-per-print deal, which seems cheap up front but can get expensive long term. They will usually be "managed" by the lessor, who needs constant external access to your network, the MFPs need to "phone home" frequently to report on usage and order supplies etc. The organisation leasing them will have little control over firmware upgrades, that's the lessors problem. Except now it's also your problem. There's a great big hole in your network. (I would hope that the management interface is a box inside your network and the lessor managing the devices has to log in securely through that, but I bet that's not always the case.)

    2. Bitsminer Silver badge

      Re: Malware or just a link to the firmware update site?

      Pro-tip: When you run out of magenta, and printing is paused because "no colours remain", you can either (a) reboot or (b) find the Services app under Windows Administration, and restart the Print Spooler service. Printing should then begin.

      There is probably a CMD-line incantation to restart the Print Spooler too.

      Extra points for those who can explain why it's called a Spooler.

      1. Licenced_Radio_Nerd
        Boffin

        Re: Malware or just a link to the firmware update site?

        net stop spooler

        net start spooler

        Of course, the above needs admin-rights on a Windows machine, and may need to be restarted on the device that is sharing the printer. Corporate environments will have a server sharing all of the in-office printers, so restarting the spooler service on your laptop/desktop will do little.

        A fun issue is when spooler files (.spl) get stuck and you cannot print. You have to stop the service, dig into where they hide, delete them, then restart the spooler. I have had home-users state they will go and buy a new printer because they cannot print. A quick clear-out of stuck .spl files cures all!

        "Spooler" is probably a hang-over from the days of dot-matrix and daisy-wheel printers which had a spool of ink infused ribbon. Or it was called that as a joke, and no-one bothered to change it...

        1. Captain Scarlet

          Re: Malware or just a link to the firmware update site?

          Why not just turn off snmp pooling on the printer port (Uncheck "SNMP Status Enabled" on the port settings, been the same box since Windows 2k)?

          Much simpler than restarting the print spooler service.

          Also some applications still call printing spooling (Such as Sage Line 500)

          1. Licenced_Radio_Nerd

            Re: Malware or just a link to the firmware update site?

            You can see the same errors of stuck spooler files when printing via USB.

            1. Captain Scarlet

              Re: Malware or just a link to the firmware update site?

              Sorry I wasn't applying this to stuck spooler files, but to get around the print spooler service not sending a print when the status was in error.

              I probably should have replied to the first post.

        2. Licenced_Radio_Nerd
          Happy

          Re: Malware or just a link to the firmware update site?

          According to Wiktionary:

          Spooler

          1. (computing) A program or process that spools (places data in a queue to be accessed later)

          The print spooler sends each page to the printer when it is ready for it.

          So now we know.

        3. cuthbertgraak

          Re: Malware or just a link to the firmware update site?

          "Spooler" is the term we use to refer to a utility that manages the "spool", and "spool" refers to the ancient (for computing) acronym S.P.O.O.L., meaning "Simultaneous Peripheral Operations On Line".

          "Spool" is also a play on what a spooler does: it writes a stream of data that gets stored in a fifo buffer (like thread on a spool) to be read out later (unspooled) to a peripheral device. Originally, that "spool" was a physical spool of magnetic tape that one computer would write, and another computer would read and print

      2. billat29

        Re: Malware or just a link to the firmware update site?

        Simultaneous Peripheral Operations OnLine.

        We're in IBM mainframe days here, It allowed a program to write its output to a file on one of those newfangled disks for subsequent printing on a good old fashioned chain printer. Prior to that, the printer was directly attached to the program and as printers are very very slow, the program would hog the CPU spending nearly all of its time waiting for the printer.

        https://www.ibm.com/docs/en/zos/2.1.0?topic=control-spool-data-sets-spooling

        1. Bitsminer Silver badge
          Pint

          Re: Malware or just a link to the firmware update site?

          Aaaaand the winner is....

        2. hayzoos

          Re: Malware or just a link to the firmware update site?

          I always thought spooling was so named because print jobs were buffered to the tape unit which had tape on reels AKA spools.

      3. Phones Sheridan Silver badge

        Re: Malware or just a link to the firmware update site?

        My printer goes offline when it runs out of colour ink, and won't come back on until a new cartridge is inserted. The usual LCD menu is replaced with a big yellow exclamation mark and a message, and will not perform any configuration functions. Stopping and starting the spooler would probably bypass any windows driven reporting, but not printer hardware blocks.

    3. weirdbeardmt

      Re: Malware or just a link to the firmware update site?

      This.

      We have several of these but stopped updating the firmware a while back when they tried to bork printers not using OEM ink. So it's now Catch-22... although the financial damage from network pwnage is probably considerably less than having to buy actual HP ink.

  3. Dan 55 Silver badge

    "Updated firmware is available for download from HP, the company said in a statement."

    Of course, it won't be available for the HP printer you've got.

    1. Nunyabiznes

      Re: "Updated firmware is available for download from HP, the company said in a statement."

      Or if it is, it will bork your MFP.

    2. heyrick Silver badge

      Re: "Updated firmware is available for download from HP, the company said in a statement."

      Or is available for the printer you have, but won't install for inexplicable reasons.

      (HP took over Samsung's printer range, there's an updated firmware for my little M2022W laser, but nothing will convince it to touch the update...I suspect it might know something I don't, like "HP? Ewww!")

  4. ecofeco Silver badge

    Booby? Trapped?

    Uhm... sure.

  5. fg_swe Bronze badge

    All The Fun of C

    "buffer overflow"

    If we believe the C advocates, HP employs rookie software developers.

    If we believe Sir Tony Hoare, companies such as HP should use memory-safe programming languages.

    http://sappeur.ddnss.de/

    https://www.rust-lang.org/

    1. Zippy´s Sausage Factory

      Re: All The Fun of C

      Reality: both of those things are true, except HP doesn't employ enough developers anyway.

  6. Eclectic Man Silver badge
    Unhappy

    Print queue robustness

    Once, when working in a secure site, we switched off the printer at the end of the working day and went home. Next morning, enter the office, turn on the computers and the printer. Printer zooms into life, and prints the classified document it was printing before it got switched off last night. Of course the manufacturer was very proud that their printers would remember the print jobs, and it was a matter of operational robustness that a mere power outage would not lose the print queue.

    It was a matter of some concern to the system administrators, how to make sure that just turning on a printer would not reveal highly sensitive information*.

    *(Like the day I spent the whole morning quietly working on reviewing the main contractor's documentation, only to discover that my military officer boss had spent it all 'tweaking' his business card design, and the aforementioned 'Main contractor' had been designing the flyer for the upcoming team social event. Completely true, I could give you their names but they'd have to kill me ...)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like