Critical Bugs Plague Quickbooks Online Edition

The federal government’s cyberdefense arm has warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers.

According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT), the ActiveX control that enables Intuit Inc.’s QuickBooks

Online Edition contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious website.

Of the two bugs discovered and reported by US-CERT, the one spelled out here is the most dangerous. Not only could attackers seed a vulnerable Windows PC with malware, US-CERT, but “an attacker can also retrieve files from a victim’s PC.”

Copenhagen-based vulnerability tracker Secunia ApS ranked the vulnerabilities “highly critical,” its second-most serious threat rating.

QuickBooks Online Edition is a Web-based subset of the traditional on-disk software, and it uses a subscription pricing model that starts at $19.95 per month.

According to US-CERT, Version 9, and possibly those prior to that, contain the ActiveX vulnerabilities. US-CERT recommended that users update to Version 10 as soon as possible or, failing that, set the so-called “kill bit” to disable the control.

Doing that, however, means that users won’t be able to access QuickBooks Online through Microsoft’s Internet Explorer, the only browser supported by the service.

Intuit’s support site showed no mention of the bugs today. Ironically, one of the documents in the Online Edition’s support database, entitled “What is the ActiveX control for, and is it safe?” answers: “The short answer is yes, our control is safe.”

ActiveX vulnerabilities in non-Microsoft products are nothing new, of course. Just over a month ago, for example, a critical ActiveX flaw was spotted in Yahoo Widgets, a development platform that runs small, Web-based, gadget-like applications on Windows desktops.