HP fills LaserJet security hole
- — 07 April, 2006 08:38
HP is warning of a vulnerability in some of its printer driver software that could allow hackers to siphon information from a user's PC.
The unusual security alert -- printer software is not usually at the forefront of security worries -- affects anyone using a Windows Toolbox utility that comes with the company's Color LaserJet 2500 and 4600 printers.
HP is advising anyone affected to download a fix as soon as possible after studying update instructions on its site.
The browser-like Toolbox program is used mainly to monitor printer status, and is thought to be vulnerable when it has been installed in its default configuration, which would be case for the overwhelming majority of the users.
HP has been less than candid about the inner workings of the vulnerability in its official report. According to Secunia's website, "The vulnerability is caused due to an input validation error in the built-in HTTP server. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks."
Arbitrary files, in this instance, could be taken to mean any printable file on the PC and not just files being printed or processed by the driver at a particular point in time.
The Secunia site also describes the hole as "less critical", which probably means that no exploits are known of, and attributes its discovery to a researcher, Richard Horsman.