PERHAPS IT IS out of ink, but printer company Brother is apparently not in much of a hurry to listen to the news from Trustwave that its printers contain a denial of service vulnerability.

Trustwave's Spiderlabs has cast its web of insecurity over the front end of Brother printers. In a security advisory, the firm says that a hole in the system could allow a remote attacker to launch a denial of service attacks, adding that general poor access control is rampant on the internet and can enable some large and damaging attacks on organisations of all sizes.

"A single malformed HTTP request can cause the server to hang until eventually replying with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic," said Spiderlabs.

"Some people dismiss Denial of Service attacks as a mere nuisance, but they can tie up resources and reduce productivity at any organisation. They can also be used as a part of an in-person attack on an organisation," it added.

"For instance, an attacker can launch a Denial of Service like this one and then show up at the organisation as the "technician" called to fix the problem. Impersonating a technician would allow the attacker direct physical access to IT resources that they might never have been able to access remotely."

The bad news here is that Trustwave has done the decent thing and attempted to inform Brother about the problem but the firm has chosen to ignore it. Trustwave has released details along with a proof of concept, but only after four attempts to discuss the issue.

"No patch currently exists for this issue," it says darkly. "To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation".

We have reached out to Brother about this, and hope to be able to report its side of the situation. µ