Multiple vulnerabilities in Intuit QuickBooks

2012-04-02T00:00:00
ID VU:232979
Type cert
Reporter CERT
Modified 2012-05-21T18:24:00

Description

Overview

Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.

Description

Derek Soeder's vulnerability report states the following:

Intuit Help System Protocol File Retrieval
The vulnerability described in this document can be exploited by malicious HTML and Javascript to retrieve a file from a ZIP archive to which the user viewing the HTML has local or network file system access. The attacker must know or guess the path and file name of the target ZIP archive and the target file it contains. A further significant limitation is that files in subdirectories inside of ZIP archives have proven inaccessible, based on a sampling of Windows ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

Intuit Help System Protocol URL Heap Corruption and Memory Leak
The vulnerability described in this document can potentially be exploited by malicious HTML and/or Javascript to execute arbitrary code as the user viewing the malicious content.

Additional details may be found in the full advisories linked above.


Impact

An attacker may be able to retrieve sensitive files or run arbitrary code.


Solution

QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.


Disable the Intuit Help System protocol

Delete, rename, or restrict read access to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Classes\PROTOCOLS\Handler\intu-help-qb#

Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.


Vendor Information

232979

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Intuit, Inc. Affected

Notified: March 23, 2012 Updated: May 21, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://security.intuit.com/alert.php?a=43>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5 | AV:A/AC:--/Au:N/C:C/I:C/A:P
Temporal | 3.6 | E:U/RL:W/RC:UC
Environmental | 3.6 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • <http://www.securityfocus.com/archive/1/522138>
  • <http://www.securityfocus.com/archive/1/522139>
  • <http://security.intuit.com/alert.php?a=43>

Acknowledgements

Thanks to Derek Soeder for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: | None
---|---
Date Public: | 2012-03-30
Date First Published: | 2012-04-02
Date Last Updated: | 2012-05-21 18:24 UTC
Document Revision: | 17