The Blaster worm hit McCormick and Co. hard and fast. It entered the famous spice company through a service provider connection and ripped across plants and offices in a matter of hours. What was most vexing, however, was that the virus kept coming back on disinfected network segments.
Upon further investigation, it turned out that Blaster, as well as some instances of the Sasser worm, were trying to repropagate from infected network printers.
“Printers were just one of several types of systems contributing to the nightmare at the time,” says Michael Rossman, who’d just taken over as global director of IT services and information security at McCormick at the time of the worm outbreak in 2003. “Blaster went to all our PCs, our radio frequency units, our handhelds. And, we learned belatedly, it also spread to our printers.”

Blaster and Sasser gave IT execs some religion about the vulnerabilities network printers can introduce to corporate networks, Rossman says. Since then, however, there has been little evidence of printer-based attacks spreading across large networks. Corporate IT shops haven’t been concerned about printer security. Instead of patching and hardening printers, they have been complacent. Security experts say that printers are loaded with more complex applications than ever, running every vulnerable service imaginable, with little or no risk management or oversight.
If these systems aren’t hardened, users may soon find their printers rendered inaccessible by attackers, their valuable documents heisted or their printers turned into remote-controlled bots — launching pads for further attacks.
The problem, of course, is that printers aren’t on the agendas of many security managers. “It’s been my experience that these devices have been completely overlooked from a risk management perspective,” says security researcher Brendan O’Connor. “They’re installed. They work. And nobody pays them any attention until it’s time to install a new paper tray or print cartridge.” In essence, networked printers need to be treated like servers or workstations for security purposes — not like dumb peripherals.
He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program.

Last year, Symantec logged 12 new security vulnerabilities for five network printer brands: Brother, Canon, Epson, Fujitsu, Hewlett-Packard, Lexmark and Xerox. Twelve may seem like an insignificant number, but keep in mind that it’s greater than the number of printer-specific vulnerabilities found in 2005 (10). And the number of such vulnerabilities found in the past two years account for nearly half of all printer vulnerabilities identified since 1997 (52).
“Five years ago, four HP Jetdirect printer controllers were used in a denial-of-service attack that took down an ISP in New Mexico,” says Paller. “And more recently, shared printers have become back doors that allow attackers to bridge from low-security areas to high-security areas.”
All it takes is any remote code-execution vulnerability, such as a buffer overflow or cross-site scripting weakness, to spread a bot to the printer or use the printer as a launching pad for other attacks, says Lamar Bailey, senior operations manager of X-Force, a threat analysis service of Atlanta-based IBM Internet Security Systems. ISS keeps a dozen printers in its security lab so it can test new vulnerabilities.
And, despite opinions to the contrary, network printers are also already at risk of direct Internet attacks, say researchers. The first, and most obvious, link is when organizations put network printers outside the corporate firewall to make remote printing easier for employees. This is something O’Connor, Wysopal and Turner all say they have seen too frequently in their vulnerability assessments for clients.
Furthermore, online print-from-anywhere services are also direct points of attack from the Web. Some of these interfaces include embedded Web servers and/or Web pages with IP addresses. This is why, as part of its risk management policy, McCormick turns off remote print services, says Rossman.
Of all protective measures to be taken on these embedded devices, system hardening and patch management are the most critical, according to security experts.
“Network printers are large print devices with embedded Windows systems that are interacting with the network just like any other Windows-based system,” says Rossman. “They need to be secured.”