Printer manufacturer Procolored distributed malware through its driver packages for months, dismissing security researchers' warnings as false positives. The malicious driver, installed alongside legitimate printer software, collected system information and communicated with a command-and-control server located in China, potentially enabling remote code execution and data exfiltration. While Procolored eventually removed the driver and claimed it was a "statistical module" intended for data collection on printer usage, the company's delayed response and lack of transparency raise significant concerns about their security practices and the potential impact on users.
A concerning report has surfaced detailing how printer drivers distributed by Ninestar Corporation, a significant player in the printer consumables market and parent company of popular printer brands like Lexmark, Pantum, and AstroNova, were found to contain potentially malicious software. This discovery, initially brought to light by security researchers at SentinelOne in April 2023, revealed that the drivers for a wide array of color laser printers included a clandestine component designed to download and execute arbitrary code. This component, disguised within the driver software, operated stealthily in the background, establishing persistent connections to servers located in China without the user's knowledge or consent.
The implications of this concealed functionality are substantial, raising serious concerns about potential security breaches and unauthorized data access. The downloaded code, being arbitrary in nature, could theoretically perform a variety of malicious actions, ranging from data exfiltration and system monitoring to the installation of further malware. This vulnerability exposes users to significant risks, potentially compromising sensitive information and jeopardizing the overall security of their systems.
Ninestar’s initial response to these findings was dismissive, categorizing the alerts as "false positives." However, further investigation by SentinelOne solidified their initial assessment, confirming the presence of the unauthorized code and its potential for malicious exploitation. This dismissal of legitimate security concerns amplified the severity of the situation, suggesting a lack of transparency and a potential disregard for user security on the part of Ninestar.
Subsequent to the mounting evidence and increased public scrutiny, Ninestar eventually acknowledged the issue, claiming that the code was part of a cloud printing feature and not intended for malicious purposes. They further asserted that the code was deactivated in June 2022. However, the researchers' continued analysis demonstrated that the questionable code remained active in driver versions released even after this supposed deactivation date. This discrepancy further undermines Ninestar's claims and raises questions about their commitment to addressing the vulnerability effectively.
The incident highlights the potential risks associated with installing software, even from seemingly reputable sources. The complexity of modern printer drivers and the extensive permissions they often require create an opportunity for malicious actors to embed hidden functionalities that can bypass traditional security measures. The case underscores the importance of vigilant security practices, including careful scrutiny of software installations and regular security updates, to mitigate such threats. Furthermore, it emphasizes the need for greater transparency and accountability from hardware manufacturers in addressing security vulnerabilities to ensure the safety and trust of their users.
Summary of Comments ( 62 )
https://news.ycombinator.com/item?id=44012283
Several Hacker News commenters expressed skepticism about the "malware" classification, suggesting the included software was more accurately described as bloatware or potentially unwanted programs (PUPs). They pointed out that the drivers bundled third-party software like the Crossrider ad injection platform and Optimizer Pro, known for aggressive advertising and questionable system modifications. While acknowledging the software's undesirable nature, commenters debated whether its behavior warranted the "malware" label, with some arguing for a clearer distinction between malicious intent and aggressive monetization strategies. Others discussed the prevalence of such practices, particularly among printer manufacturers, and lamented the lack of transparency and user control in driver installations. A few commenters also questioned the motives behind the disclosure, speculating about potential conflicts of interest. Overall, the discussion centered on the nuanced definition of malware and the ethical implications of bundling potentially unwanted software with essential drivers.
The Hacker News thread discussing the Procolored printer driver malware has a moderate number of comments, exploring various aspects of the situation.
Several commenters express a deep distrust of printer software in general, citing past experiences with bloatware, unnecessary features, and generally poor security practices. This incident with Procolored is seen as another example confirming their existing skepticism. One commenter sarcastically suggests that printer companies see their devices as a loss-leader, aiming to profit through other means – implying malware distribution might be one such avenue, though this is presented more as dark humor than a serious accusation.
The discussion touches on the difficulty of managing printer drivers, especially in corporate environments. One user highlights the complexities and potential security vulnerabilities introduced by using universal printer drivers or relying on the operating system's built-in drivers. They express concern that proper vetting of printer drivers is often neglected due to the perceived low risk compared to other software.
Some comments analyze the technical details of the malware, noting its use of DLL side-loading and persistence mechanisms. The relative simplicity of the malware raises questions about the developers' intentions. Was it truly malicious, or perhaps a misguided attempt at implementing some sort of DRM or telemetry? The lack of clear communication from Procolored fuels speculation.
The company's response, dismissing the reports as false positives, is met with widespread criticism. Commenters see it as a classic example of poor crisis management and a lack of transparency. This perceived dismissiveness exacerbates the distrust and reinforces the negative perception of the company.
Finally, there's a practical discussion about alternatives to Procolored printers and drivers. Users suggest open-source driver options and recommend specific printer brands known for better software and security practices. This reflects a desire within the community to find more trustworthy and reliable printing solutions.