ActiveX flaws haunt QuickBooks Online

ActiveX flaws haunt QuickBooks Online

Summary: The U.S. Computer Emergency Readiness Team (US-CERT) is warning about multiple code execution holes affecting users of Intuit QuickBooks Online Edition.

SHARE:
TOPICS: Browser, Security
13

ActiveX flaws haunt Quickbooks Online The U.S. Computer Emergency Readiness Team (US-CERT) is warning about multiple code execution holes affecting users of Intuit QuickBooks Online Edition.

The vulnerabilities, rated "highly critical" by Secunia, can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

"By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash," according to the US-CERT alert.

[ GALLERY: How to disable ActiveX and run Internet Explorer securely

Intuit's QuickBooks Online Edition is a version of the popular accounting software that functions within Internet Explorer as an ActiveX control.

Some technical details of the security bugs from Secunia:

1) The insecure methods "httpGETToFile()" and "httpPOSTFromFile()" in the QuickBooks Online Edition ActiveX can be exploited to download or upload files in arbitrary locations.

2) Unspecified boundary errors exist in the QuickBooks Online Edition ActiveX control, which can be exploited to cause stack-based buffer overflows.

Successful exploitation requires that the target is lured into visiting a maliciously rigged Web site.

The vulnerabilities have been confirmed in version 9 of QuickBooks Online Edition. Users are strongly urged to apply an available update from Intuit.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • ActiveX

    People still using ActiveX for development? It's ActiveXploit
    shoktai
    • HAHAHAHAHA...

      ...HAHAHAHAHAH!!! HEHEHEHAHAHAHAH! HOHOHEHEHEAHHAHAH!

      ActiveXploit! Hilarious!

      Do you get these humorous nuggets from a book or do you write them on the fly?

      Good gawd...
      GuyAlanDye
  • Which is why you don't use Microsoft tech. on the Web

    And why you need to run from websites that use it. ESPECIALLY sites that deal with your financial data.

    Look at Monster.com - huge .ASP shop and broken into. Look at this latest one.

    Just use companies that don't use MS and let them know why.
    ITGuy04
    • Bad programming...

      is bad programming. It doesn't matter if you're developing in ASP on a Windows box or Perl on a Linux box or any other development environment on any operating system. Microsoft just makes it seem too easy to develop software. My guess is that this helps make it easier to farm out development work to countries where English isn't the first language, and critical thinking ranks second to having a body in a chair creating poorly written code for ten bucks a week.
      jasonp9
      • Bad software

        It's part programming, but when your:

        1) Server OS
        2) Web Server
        3) Database
        4) Browser

        all have Swiss Cheese security it's a DISASTER waiting to happen.
        ITGuy04
        • Well then, it's good that we don't use

          Linux or Safari! ;)

          (was that a good troll for a troll?)
          John Zern
        • that's not quite fair ...

          IIS 6 really is secure out of the box. Not that I wouldn't run it without pound and pf on OpenBSD, but MS finally did get IIS 6 right.

          The OS is getter better, but there is still way to much stuff running on a web server to make me happy. My gripe with Windows servers is that you have to install GUIs, browsers, etc just to run a simple web service.

          Nobody will defend IE, and it doesn't even do SVG without a plug-in.

          SQL Server irritates me, but not for security reasons. How on Earth do you deal with people that say
          cast( "2006-12-25" as datetime) - "2006-10-28"
          is "1900-02-28" !? And then they tell us that messing up the leap year in 1900 doesn't really matter.
          shis-ka-bob
        • Its really too bad...

          that you are too stupid to stay current on exactly what IS and what IS NOT secure these days.

          I feel sorry for all those customers you keep bragging about.
          BFD
  • No issue for current QuickBooks Online users

    I'm from Intuit, the maker of QuickBooks Online Edition. I want to clarify that the current, and only, version available of QuickBooks Online does not have the ActiveX issue referenced by CERT. We take all security concerns seriously and therefore began investigating the CERT issue as soon as it was brought to our attention. Earlier this year, we released a solution, version 10 of QuickBooks Online, which automatically removed the old ActiveX control and required all users to automatically upgrade to version 10 upon logging into their accounts.
    sbrockett
  • US-CERT NEVER AGREED WITH ITS 9/4/07 WARNING

    See http://www.kb.cert.org/vuls/id/979638. The US-CERT division of the Department of Homeland Security is the leading guardian of computer program security, but good private companies move far fastter than it does. Its 9/4 WARNING actually says, "This issue is addressed in version 10 of the QuickBooks Online Edition ActiveX control." That means US-CERT saw nothing wrong with a version Intuit released on 3/15/07, almost 6 months before the warning. This version automatically fixes the problem. Gregg Keizer of Computerworld wrote a completely wrong story without reading a readily available source document and without asking a subject to comment before publishing. Intuit has long had one of the best possible reputations for security.
    mblock9
  • Message has been deleted.

    mblock9
  • ACTIVEX FLAWS NOT IN QBOOKS ONLINE

    This Computerworld story, which ZDNet copied, is a travesty. No one read the readily available source document at http://www.kb.cert.org/vuls/id/979638 or asked a subject to comment before spreading false information. The so-called 9/4 warning actually says, "This issue is addressed in version 10 of the QuickBooks Online Edition ActiveX control." That means US-CERT saw nothing wrong with a version Intuit released on 3/15/07, about 6 months before the warning. The US-CERT division of the Department of Homeland Security may try to guard computer program security, but good companies apparently move far faster. Intuit has long had an excellent reputation for security.
    mblock9
    • ACTIVEX FLAWS NOT IN QBOOKS ONLINE

      One clarification: the author of the story read the http://www.kb.cert.org/vuls/id/979638 source document. However, he did something terrible by concealing its key statement,
      "This issue is addressed in version 10 of the QuickBooks Online Edition ActiveX control." That means US-CERT saw nothing wrong with a version released about 6 months before its warning.

      It was bad journalism when Computerworld did not check a source document or ask a subject to comment (Intuit people are always exceptionally available). It was far worse to sensationalize by concealment.
      mblock9