Vulnerability Note VU#232979

Multiple vulnerabilities in Intuit QuickBooks

Original Release date: 02 Apr 2012 | Last revised: 21 May 2012

Overview

Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.

Description

Derek Soeder's vulnerability report states the following:

    Intuit Help System Protocol File Retrieval
    The vulnerability described in this document can be exploited by malicious HTML and Javascript to retrieve a file from a ZIP archive to which the user viewing the HTML has local or network file system access. The attacker must know or guess the path and file name of the target ZIP archive and the target file it contains. A further significant limitation is that files in subdirectories inside of ZIP archives have proven inaccessible, based on a sampling of Windows ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

    Intuit Help System Protocol URL Heap Corruption and Memory Leak
    The vulnerability described in this document can potentially be exploited by malicious HTML and/or Javascript to execute arbitrary code as the user viewing the malicious content.

Additional details may be found in the full advisories linked above.

Impact

An attacker may be able to retrieve sensitive files or run arbitrary code.

Solution

QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.

Disable the Intuit Help System protocol

Delete, rename, or restrict read access to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Classes\PROTOCOLS\Handler\intu-help-qb#

Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Intuit, Inc.Affected23 Mar 201221 May 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.0 AV:A/AC:--/Au:N/C:C/I:C/A:P
Temporal 3.6 E:U/RL:W/RC:UC
Environmental 3.6 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Derek Soeder for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: Unknown
  • Date Public: 30 Mar 2012
  • Date First Published: 02 Apr 2012
  • Date Last Updated: 21 May 2012
  • Document Revision: 16

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.