Government warns of dangerous QuickBooks Online flaw

By Bill Brenner, Senior News Writer 06 Sep 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding two security flaws attackers could exploit in the popular Intuit QuickBooks Online Edition to cause buffer overflows and download or upload files using compromised machines.

QuickBooks Online Edition is the Web-based version of Intuit's accounting program and is particularly popular among small businesses. It functions as an ActiveX control within Internet Explorer (IE). According to US-CERT researcher Will Dormann, the ActiveX control contains several "dangerous" methods attackers could exploit to hijack computers and steal sensitive data.

"The Intuit QuickBooks Online Edition ActiveX control fails to properly restrict access to dangerous methods, which could allow a remote attacker to execute arbitrary code on a vulnerable system," he explained in

US-CERT Vulnerability Note VU#979638. "By convincing a victim to view an HTML document (Web page, HTML email or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE."

Dormann added that these files could be laced with malicious code. "The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder, where it will automatically execute the next time the user logs onto the system," he warned. "An attacker can also retrieve arbitrary files from a victim's computer."

Danish vulnerability clearinghouse Secunia labeled the flaws highly critical because of the attacker's ability to exploit them remotely. In Secunia advisory SA26659, the firm said it confirmed the flaws in QuickBooks version 9 and warned that other versions may also be affected.

Users can eliminate the threat by updating to version 10 or setting the kill-bit for the affected ActiveX controls.

Sharna Brockett, public relations manager with Intuit, said in an email Thursday afternoon that the current version of QuickBooks Online Edition does not have the ActiveX issue referenced by CERT.

"We take all security concerns seriously and therefore began investigating the CERT issue as soon as it was brought to our attention," she said. "Earlier this year, we released a solution, version 10 of QuickBooks Online Edition, which automatically removed the old ActiveX control and required all users to automatically upgrade to version 10 upon logging into their accounts."

Tags: Securing Productivity Applications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Software piracy group offers cash to whistleblowers How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary