Vulnerability Note VU#232979
Multiple vulnerabilities in Intuit QuickBooks
Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.
Derek Soeder's vulnerability report states the following:
Intuit Help System Protocol File Retrieval
An attacker may be able to retrieve sensitive files or run arbitrary code.
QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.
Disable the Intuit Help System protocol
Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Intuit, Inc.||Affected||23 Mar 2012||21 May 2012|
CVSS Metrics (Learn More)
Thanks to Derek Soeder for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: Unknown
- Date Public: 30 Mar 2012
- Date First Published: 02 Apr 2012
- Date Last Updated: 21 May 2012
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.