Correct me if I'm wrong, but to be affected, don't you need to have UDP port 631 exposed to the outside world? Apologies for being a bit blunt, but if you're exposing services like printing to the internet that shouldn't be exposed, well, then... you kind of deserve to get owned, right?
The people who have no idea what services are listening on their machine due to some default that someone else decided upon absolutely deserve to get owned, yes, because that's a totally reasonable mentality to have.
Sarcasm in case it wasn't obvious. At what point did it just become normal to be so user-hostile?
This is the quintessential wrong way of thinking about computers and security. It's the equivalent of the "OK, but.. [insert BS argument trying to deflect]". There is no "but", "Your" system has a bug/vulnerability/non-compliance - FIX it and help the users/customers instead of waterboarding us with pseudo-moralistic quips about "deserving" and whatnot.
The Universe is quite a big place with realities, situations and contexts you wouldn't even fathom. Be humble.
Who said anything about servers? This mostly affects consumer devices. If this was a windows installation, I'm not sure the same "skill issue" argument would be popping up. A normal person just installs their OS and uses it. They don't know the intricacies of CUPS, the implications of using 0.0.0.0 or how to set up a firewall in a way that would prevent this from happening. Hell, even tons of people on HN make the mistake of just checking their TCP ports when discussing this issue (when it's UDP), or don't check for the right cups package. So imagine everyone else?
Seriously, anyone who disagrees with that ends up with even bigger problems, like getting hit by ransomware. You, not some developer or Linus Torvalds or anyone else, are responsible for your client and your data. If you put your server on the internet without securing it properly, you deserve to get owned. Your negligence ends up hurting other people.
Is that so hard to understand? You have to take security seriously. My point is that a firewall is the bare minimum you should be thinking about when setting up your server.
The issue is when people don't realize that CUPS is installed either because it happened by default or was accidentally brought in through some other transitive dependency. Ubuntu is especially vulnerable to dependency smuggling like that because recommended packages are installed by default.
Don't blame or anger at people for not knowing their stacks entirely. There's so much to keep track of that it's totally understandable that something like this can fall through the cracks.
That's the point - you don't need to know your stack. You don't need to worry if CUPS is installed, enabled, or listening on your interface. You don't need any of that, as long as you do the bare minimum and configure your firewall.
