Update: Critical bugs plague QuickBooks' online service, warns US-CERT
But puzzled Intuit says it updated the Web-based software back in March
Computerworld - Two days after the federal government's cyberdefense arm warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers, the program's developer claimed it patched the bug almost six months ago.
According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT) on Tuesday, the ActiveX control that enables Intuit Inc.'s Web-based QuickBooks Online Edition (QBOE) contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.
Of the two bugs discovered and reported by US-CERT researcher Will Dormann, one not only let attackers seed a vulnerable Windows PC with malware, but allowed them to steal files from the machine.
Copenhagen-based vulnerability tracker Secunia ApS ranked the vulnerabilities "highly critical," its second-most serious threat rating.
On Thursday, Intuit confirmed that it had been told by US-CERT of the problem in January, but said the buggy ActiveX control had been patched sometime after that. It rolled the fix into a March 15 update to the Web service.
"We put out a new version of the software that took care of the issue," said Intuit spokeswoman Heather McLellen. "The next time users logged into their accounts, they were automatically upgraded to the new software, version 10. The only version that people have been using since then does not have this vulnerability."
QBOE is a Web-based subset of the traditional on-disk software, and uses a subscription pricing model that starts at $19.95 per month. Customers log on and access their accounting data using Microsoft Corp.'s Internet Explorer browser.
"I don't know why US-CERT issued the advisory yesterday," said McLellen when asked about the move. "They reported the problem to us in January, and we had fixed it by March."
Yesterday, Intuit posted a new document to the QBOE support site that spells out the steps users who had not logged in since March 15 should take to protect their PCs from possible attack. "The only people who might still be at risk are non-active users," said McLellen.
The support document instructs former QBOE users to delete the software remaining on their systems using a Remove utility included with their original download, and urged others who had not logged in since March to do so now. "This process will prompt you to automatically download the newest version," the document read.
"Your QBOE data was never at risk and [was] secure at all times on our servers," Intuit said.
US-CERT did not return multiple calls asking for comment.
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!