Update: Critical bugs plague QuickBooks' online service, warns US-CERT
But puzzled Intuit says it updated the Web-based software back in March
Computerworld - Two days after the federal government's cyberdefense arm warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers, the program's developer claimed it patched the bug almost six months ago.
According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT) on Tuesday, the ActiveX control that enables Intuit Inc.'s Web-based QuickBooks Online Edition (QBOE) contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.
Of the two bugs discovered and reported by US-CERT researcher Will Dormann, one not only let attackers seed a vulnerable Windows PC with malware, but allowed them to steal files from the machine.
Copenhagen-based vulnerability tracker Secunia ApS ranked the vulnerabilities "highly critical," its second-most serious threat rating.
On Thursday, Intuit confirmed that it had been told by US-CERT of the problem in January, but said the buggy ActiveX control had been patched sometime after that. It rolled the fix into a March 15 update to the Web service.
"We put out a new version of the software that took care of the issue," said Intuit spokeswoman Heather McLellen. "The next time users logged into their accounts, they were automatically upgraded to the new software, version 10. The only version that people have been using since then does not have this vulnerability."
QBOE is a Web-based subset of the traditional on-disk software, and uses a subscription pricing model that starts at $19.95 per month. Customers log on and access their accounting data using Microsoft Corp.'s Internet Explorer browser.
"I don't know why US-CERT issued the advisory yesterday," said McLellen when asked about the move. "They reported the problem to us in January, and we had fixed it by March."
Yesterday, Intuit posted a new document to the QBOE support site that spells out the steps users who had not logged in since March 15 should take to protect their PCs from possible attack. "The only people who might still be at risk are non-active users," said McLellen.
The support document instructs former QBOE users to delete the software remaining on their systems using a Remove utility included with their original download, and urged others who had not logged in since March to do so now. "This process will prompt you to automatically download the newest version," the document read.
"Your QBOE data was never at risk and [was] secure at all times on our servers," Intuit said.
US-CERT did not return multiple calls asking for comment.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!