Security News > 2022 > September > Firmware bugs in many HPE computer models left unfixed for over a year
Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.
As Binarly highlights in the report, even though it's been a month since they made some of the flaws public at Black Hat 2022, the vendor hasn't released security updates for all impacted models, leaving many customers exposed to attacks.
The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.
HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.
As Binarly comments, fixing firmware flaws is very challenging for a single vendor due to the complexity of the firmware supply chain, so many HP customers will have to accept the risk and ramp up their physical security measures.
BleepingComputer has contacted HP for a comment on when the security updates for the rest of the impacted models are expected to be released, and we will update this post when we get a response.