The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding two security flaws attackers could exploit in the popular Intuit QuickBooks Online Edition to cause buffer overflows and download or upload files using compromised machines.
QuickBooks Online Edition is the Web-based version of Intuit's accounting program and is particularly popular among small businesses. It functions as an ActiveX control within Internet Explorer (IE). According to US-CERT researcher Will Dormann, the ActiveX control contains several "dangerous" methods attackers could exploit to hijack computers and steal sensitive data.
"The Intuit QuickBooks Online Edition ActiveX control fails to properly restrict access to dangerous methods, which could allow a remote attacker to execute arbitrary code on a vulnerable system," he explained in
Dormann added that these files could be laced with malicious code. "The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder, where it will automatically execute the next time the user logs onto the system," he warned. "An attacker can also retrieve arbitrary files from a victim's computer."
Danish vulnerability clearinghouse Secunia labeled the flaws highly critical because of the attacker's ability to exploit them remotely. In Secunia advisory SA26659, the firm said it confirmed the flaws in QuickBooks version 9 and warned that other versions may also be affected.
Users can eliminate the threat by updating to version 10 or setting the kill-bit for the affected ActiveX controls.
Sharna Brockett, public relations manager with Intuit, said in an email Thursday afternoon that the current version of QuickBooks Online Edition does not have the ActiveX issue referenced by CERT.
"We take all security concerns seriously and therefore began investigating the CERT issue as soon as it was brought to our attention," she said. "Earlier this year, we released a solution, version 10 of QuickBooks Online Edition, which automatically removed the old ActiveX control and required all users to automatically upgrade to version 10 upon logging into their accounts."