Intuit QuickBooks 2009 through 2012 have been reported to contain a file disclosure and heap corruption vulnerability.
Derek Soeder's vulnerability report states the following:
Intuit Help System Protocol File Retrieval
Intuit Help System Protocol URL Heap Corruption and Memory Leak
Additional details may be found in the full advisories linked above.
An attacker may be able to retrieve sensitive files or run arbitrary code.
QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.
Disable the Intuit Help System protocol
Delete, rename, or restrict read access to the registry key:
Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Notified: March 23, 2012 Updated: May 21, 2012
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector
Base | 5 | AV:A/AC:--/Au:N/C:C/I:C/A:P
Temporal | 3.6 | E:U/RL:W/RC:UC
Environmental | 3.6 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
Thanks to Derek Soeder for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | None
Date Public: | 2012-03-30
Date First Published: | 2012-04-02
Date Last Updated: | 2012-05-21 18:24 UTC
Document Revision: | 17