Security Tips External Security Resources
| Quickbooks ActiveX ControlsTo our Customers: Intuit has identified, and created a solution for, a potential security vulnerability in some of our Quickbooks desktop software (2009 and older supported versions). We know of no cases where someone has taken advantage of this vulnerability. However, if exploited, it could allow a cyber criminal to access the data on your computer. Downloading the update and applying these product updates will eliminate this vulnerability, so it’s important for every customer to install this update. Two ActiveX controls were affected. These are HtmlHelper.dll and QBInstanceFinder.dll. Identified versions: These vulnerabilities affect several versions of Intuit Quickbooks products that should receive updates. The identified versions of these Quickbooks products are: U.S. Products
QuickBooks Simple Start, Pro, Premier and Enterprise – versions 2007 - 2009 Canadian Products
U.K. Products—these products have already been patched
Australian Products
QuickBooks 2010 in the U.S. and Canada, released in September 2009, is not affected by this vulnerability. Other Intuit products, at this time and to the best of our knowledge, do not have this vulnerability. If we learn otherwise, we will provide further guidance at that time. Intuit has already released an automatic patch which may have been applied. If the security patch has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following:
If the patch was not automatically applied, it is very important for you to apply the patch now. What You Need To DoIf you have ever installed any of the identified products on your computer you should download and install Intuit’s patch, which will immediately eliminate the vulnerability. US customers can download the patch from: http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx Canadian customers can download the patch from: QuickBooks: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html SuccesPME customers can download the patch from: http://support.intuit.ca/succespme/fr-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html For UK customers, this fix was released in R12 which you should already have installed. If not, install the patch from: http://support.intuit.co.uk/quickbooks/en-gb/kb/update/update-quickbooks-to-new-product-update/Update_main.html As a further precaution, we will coordinate release of this information with US-CERT and with Microsoft, for a future release within their regular security updates for ActiveX control configuration. Downloading Intuit’s patch is the most immediate way to eliminate the vulnerability. We apologize for any inconvenience this may cause. Technical Support Contact Information If you encounter any problems installing the patch:
Questions and Answers About the ActiveX Control VulnerabilityQ1. What if I’ve uninstalled one of these products and no longer use it? Do I still need the patch? A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any identified version is still installed. Uninstalling all identified versions of the software will remove the vulnerability from your system. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software last. Q2. How do I download and install the patch? A2. All users of an identified version of Quickbooks should download the security patch at:
http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx. Canadian users can also download updates from: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
Q3. How do I check that the security patch has been applied? A3. To make sure the patch has been applied and is installed on your system, do the following: If the security patch has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following: QuickBooks 2009 R8 US QuickBooks 2008 R10 US QuickBooks 2007 R13 US QuickBooks 2006 R12 UK QuickBooks 2008 R12 UK QuickBooks 2009 R6 CAN QuickBooks 2008 R8 CAN QuickBooks MC R24 CAN QuickBooks 2009 French R6 CAN QuickBooks 2007 French R7 CAN QuickBooks 2009/10 AU (v18) Q4. What operating systems are supported? A4. The security patch is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000. [If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ] Note: Intuit products for Apple MacOS X are not affected. Q5. What if I have multiple Intuit products? Do I need to download and install the patch for each one? A5. If you have installed more than one identified version of Quickbooks, you should apply patches for each version. Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security patch? A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security patch. Q7. I only use the Internet on a periodic basis. Do I still need to download the security patch? A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security patch. Q8. How do I ensure that my computer has not already been compromised? A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer. If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product. Q9. I’m the administrator of my office network. Some machines have had QuickBooks installed at some point but don’t any longer, and aren’t getting automatic updates. What should I do to secure my network? A9. If you’d had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps:
Q10. What if I use QuickBooks 2006 or a previous version? A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products. For additional information please contact Intuit at security@intuit.com Last updated 10/26/2009
|
Recent Intuit Security Alerts
Contact Security
|
