ActiveX flaws haunt QuickBooks Online
The vulnerabilities, rated "highly critical" by Secunia, can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
"By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash," according to the US-CERT alert.
[ GALLERY: How to disable ActiveX and run Internet Explorer securely ]
Intuit's QuickBooks Online Edition is a version of the popular accounting software that functions within Internet Explorer as an ActiveX control.
Some technical details of the security bugs from Secunia:
1) The insecure methods "httpGETToFile()" and "httpPOSTFromFile()" in the QuickBooks Online Edition ActiveX can be exploited to download or upload files in arbitrary locations.
2) Unspecified boundary errors exist in the QuickBooks Online Edition ActiveX control, which can be exploited to cause stack-based buffer overflows.
Successful exploitation requires that the target is lured into visiting a maliciously rigged Web site.
The vulnerabilities have been confirmed in version 9 of QuickBooks Online Edition. Users are strongly urged to apply an available update from Intuit.