Linked by Howard Fosdick on Sat 31st Dec 2011 07:57 UTC

Thread beginning with comment 501766
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
A website on the Internet could include an image with a URL pointing at your router or printer which tries to change settings on that device. It is very common.
Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.</span>
Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.</span>
This is why I always help people to install NoScript, even if I put the Javascript whitelisting in "globally allow" mode.
It's got another component named ABE (Application Boundaries Enforcer) which includes a default ruleset to prevent just that sort of thing. (Disallowing access to LAN URLs from a WAN document)
(You can also choose to have the XSS filters, clickjacking protection, and securely-implemented Flash/Java/etc. click-to-play active with "globally allow" chosen)
Actually, you can't do that with JavaScript. As I mentioned the attacker just places an <img>-tag.
Well, I guess you can do that with JavaScript but it doesn't have any advantage over using an image.
They might use JavaScript to generate a long list of <img>-tags to try different IP-addresses though.
Just sending a longer HTML-page is easy too ofcourse.
So the only thing you are protecting yourself against in this case is an attacker which expects JavaScript to be available and working.
Member since:
2007-09-22
The questionmark in the article title make it seem Howard was surprised.
A printer is a network connected computer like many other devices and people don't update their firmware. So what else do you expect ?
Here some presentations on other security problems with printers:
http://www.youtube.com/watch?v=GZgLX60U3sY#t=3m40s
( ShmooCon 2011: Printers Gone Wild! )
http://www.youtube.com/watch?v=MPhisPLwm2A
( ShmooCon 2011: Printer to PWND: Leveraging Multifunction Printers During Penetration Testing )
An other example is that many of these devices have a webinterface. Why is that a problem ? Well it is just as much a problem as a webinterface on your router.
A website on the Internet could include an image with a URL pointing at your router or printer which tries to change settings on that device. It is very common.
Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.