Update: Critical bugs plague QuickBooks' online service, warns US-CERT
But puzzled Intuit says it updated the Web-based software back in March
Computerworld - Two days after the federal government's cyberdefense arm warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers, the program's developer claimed it patched the bug almost six months ago.
According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT) on Tuesday, the ActiveX control that enables Intuit Inc.'s Web-based QuickBooks Online Edition (QBOE) contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.
Of the two bugs discovered and reported by US-CERT researcher Will Dormann, one not only let attackers seed a vulnerable Windows PC with malware, but allowed them to steal files from the machine.
Copenhagen-based vulnerability tracker Secunia ApS ranked the vulnerabilities "highly critical," its second-most serious threat rating.
On Thursday, Intuit confirmed that it had been told by US-CERT of the problem in January, but said the buggy ActiveX control had been patched sometime after that. It rolled the fix into a March 15 update to the Web service.
"We put out a new version of the software that took care of the issue," said Intuit spokeswoman Heather McLellen. "The next time users logged into their accounts, they were automatically upgraded to the new software, version 10. The only version that people have been using since then does not have this vulnerability."
QBOE is a Web-based subset of the traditional on-disk software, and uses a subscription pricing model that starts at $19.95 per month. Customers log on and access their accounting data using Microsoft Corp.'s Internet Explorer browser.
"I don't know why US-CERT issued the advisory yesterday," said McLellen when asked about the move. "They reported the problem to us in January, and we had fixed it by March."
Yesterday, Intuit posted a new document to the QBOE support site that spells out the steps users who had not logged in since March 15 should take to protect their PCs from possible attack. "The only people who might still be at risk are non-active users," said McLellen.
The support document instructs former QBOE users to delete the software remaining on their systems using a Remove utility included with their original download, and urged others who had not logged in since March to do so now. "This process will prompt you to automatically download the newest version," the document read.
"Your QBOE data was never at risk and [was] secure at all times on our servers," Intuit said.
US-CERT did not return multiple calls asking for comment.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts