QuickBooks Online Edition Flawed, Alerts U.S. Government
The United States federal government's cyber defense wing warned users on September 5, 2007 that the much familiar QuickBooks software for small business accounting poses risk of handing over control of computers to hackers leading to loss of data.
US-CERT or the US Computer Emergency Readiness Team published two advisories, which said that the ActiveX control-enabled QucikBooks Online Edition of Intuit Inc has flaws that could allow attackers to exploit them just by tricking users to go to a malicious Web page or view an HTML coded e-mail message.
US-CERT researcher Will Dormann, who discovered and reported two bugs, said the danger from the aforementioned flaw is most severe. The bug not only allows the attacker to install a malware on a vulnerable PC running Windows program but also allow him to intercept arbitrary files from an affected computer. PCworld published this in news on September 5, 2007.
These vulnerabilities have received a "highly critical" rating from Secunia, as this flaw on exploiting could allow a remote hacker to run arbitrary code on the affected system.
By getting a user to open a craftily designed HTML document such as an attachment, or an HTML e-mail message or a special Web page, an attacker could execute random code with the user's privileges. The attacker may also be able to cause Internet Explorer (IE) to crash as also any other program controlling the Web browser, according to the US-CERT warning.
The QuickBooks Online Edition ActiveX has certain insecure methods namely "httpPOSTFromFile()" and "httpGETToFile()", which on exploitation could help to upload or download files in randomly chosen locations. There also exist boundary errors in QuickBooks, which by exploiting could cause buffer overflows.
Version 9 as well as earlier versions contains the ActiveX flaws, according to Dormann. US-CERT has recommended users to update to Version 10 or adjust the "kill bit" to deactivate the control. The result would, however, be non-accessibility to QuickBooks Online through IE, the lone browser that the service supports.
ActiveX flaws commonly exist in non-Microsoft products as well. For e.g., an ActiveX vulnerability was detected in August 2007 in Yahoo Widgets that runs gadgets or small applications.
» SPAMfighter News - 18-09-2007