Security News > 2022 > September > Firmware bugs in many HP computer models left unfixed for over a year
A set of six high-severity firmware vulnerabilities impacting a broad range of HP Enterprise devices are still waiting to be patched, although some of them were publicly disclosed since July 2021.
Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.
The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.
HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.
As Binarly comments, fixing firmware flaws is very challenging for a single vendor due to the complexity of the firmware supply chain, so many HP customers will have to accept the risk and ramp up their physical security measures.
BleepingComputer has contacted HP for a comment on when the security updates for the rest of the impacted models are expected to be released, and we will update this post when we get a response.