search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple vulnerabilities in Intuit QuickBooks

Vulnerability Note VU#232979

Original Release Date: 2012-04-02 | Last Revised: 2012-05-21


Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.


Derek Soeder's vulnerability report states the following:

Intuit Help System Protocol File Retrieval
The vulnerability described in this document can be exploited by malicious HTML and Javascript to retrieve a file from a ZIP archive to which the user viewing the HTML has local or network file system access. The attacker must know or guess the path and file name of the target ZIP archive and the target file it contains. A further significant limitation is that files in subdirectories inside of ZIP archives have proven inaccessible, based on a sampling of Windows ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

Intuit Help System Protocol URL Heap Corruption and Memory Leak
The vulnerability described in this document can potentially be exploited by malicious HTML and/or Javascript to execute arbitrary code as the user viewing the malicious content.

Additional details may be found in the full advisories linked above.


An attacker may be able to retrieve sensitive files or run arbitrary code.


QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.

Disable the Intuit Help System protocol

Delete, rename, or restrict read access to the registry key:


Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.

Vendor Information


Intuit, Inc. Affected

Notified:  March 23, 2012 Updated: May 21, 2012



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 5 AV:A/AC:--/Au:N/C:C/I:C/A:P
Temporal 3.6 E:U/RL:W/RC:UC
Environmental 3.6 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to Derek Soeder for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: None
Date Public: 2012-03-30
Date First Published: 2012-04-02
Date Last Updated: 2012-05-21 18:24 UTC
Document Revision: 17

Sponsored by CISA.