Intuit Releases Important Security Fix For QuickBooks

Just got an email from Intuit that they have identified a security vulnerability within QuickBooks related to the use of ActiveX technology.  Versions affected are: Quickbooks 2007 through 2009 Simple Start, Pro, Premier and Enterprise Solutions 7.0, 8.0 and 9.0.

If exploited, this vulnerability could allow a hacker to access the data on the user’s computer.

TWO FILES NOW PROTECTED

With current releases, two ActiveX controls are now protected that would otherwise retain potential vulnerabilities:
1.    HtmlHelper.dll
2.    QBInstanceFinder.dll
For the identified versions of QuickBooks, enabling and approving automatic updates, or manually downloading the update and then applying the updates, will eliminate potential risk.

WHERE TO FIND THE QUICKBOOKS UPDATES

For information on the most recent updates available for QuickBooks 2007, 2008, and 2009, including access to manual downloads, can be found at this link; users are asked to identify the product they need to update:
http://support.quickbooks.intuit.com/support/productupdates.aspx

They included a lot of questions and answers in the email which I have copied and pasted below:

________________________________________

FAQ1. Are any other Intuit products subject to this vulnerability?
A1. At this time and to the best of our knowledge, other Intuit products do not have this vulnerability. If we learn otherwise, we will provide further guidance as soon as possible.
________________________________________
FAQ2. Does this issue affect QuickBooks 2010?
A2. No. Neither QuickBooks 2010, nor Enterprise Solutions 10.0, released in September 2009, are exposed to this vulnerability. Of course, we still encourage users to accept the most current releases for the software.
________________________________________
FAQ3. What are the updates or releases that are required for 2007, 2008, and 2009?
A3. Releases are cumulative in nature, and over time the most current release will have even a higher number. But for each of the following versions of QuickBooks, the release number shown marks the first introduction of the resolution of the security vulnerability:
•    QuickBooks 2009: R8
•    QuickBooks 2008: R10
•    QuickBooks 2007: R13
The updates are also requested for the following versions of Enterprise Solutions: 7.0, 8.0, and 9.0.
________________________________________
FAQ4. What if I have multiple Intuit products? Do I need to download and install the patch for each one?
A4. If you have installed more than one of the identified versions of Quickbooks (2007-2009), you should apply patches for each version. This is because there are unique updates for each version to address the HtmlHelper.dll file. (The QBInstanceFinder.dll file is in the Common Programs folder, and one update will update all installed versions for that DLL file.)
________________________________________
FAQ5. Are older versions of QuickBooks, that is, QuickBooks 2006 or earlier, subject to the ActiveX vulnerability?
A5: Yes. Because these earlier versions are no longer supported, Intuit is unable to provide a tested solution to the vulnerability. See also the next two related questions.
________________________________________
FAQ6. What if my client is still running an earlier, nonsupported version of QuickBooks?
A6. Intuit strongly recommends that all users move to a currently supported version of QuickBooks. This recommendation will be clearly stated in the Intuit communications going to your clients on the topic. The Frequently Asked Questions that are meant to be posted for the benefit of QuickBooks users will also identify this need in the face of the potential vulnerability of QuickBooks 2006 and earlier.
This means that there is no good solution to recommend to clients who continue to run QuickBooks 2006 and earlier, and the ProAdvisors who may grudgingly support them. Possibly the potential vulnerability will encourage such clients to upgrade at this time.
So-Called “Kill Bit” Solution Not Recommended. In the case of systems administrators of networks where QuickBooks may have once been installed but is no longer used, Intuit has prepared some instructions that involve editing the Registry to disable calls to the Internet Browser. See here. Sometimes this approach is informally called the “kill bit” solution.
•    NOT Recommended for Clients. This solution is not recommended for clients running an earlier version of QuickBooks. Besides the riskiness of editing the Windows registry, the kill bit solution has not been tested in earlier versions and could possibly interfere with some areas of functionality.
•    Especially NOT Recommended for ProAdvisors. For ProAdvisors running multiple versions of QuickBooks, including QuickBooks 2006 and earlier, the kill bit solution is not recommended for the above reasons and also because the solution would also disable one of the DLL files used by ALL versions of QuickBooks, including those otherwise updated.
Developing: Please understand that Microsoft continues to work on security updates for its ActiveX implementation, so more general solutions may be forthcoming from that source. If so, those general solutions may address vulnerabilities in QuickBooks 2006 and earlier.
________________________________________
FAQ7. If I run an update for QuickBooks 2007, 2008, or 2009, won’t that resolve the problem for ALL versions using the ActiveX controls? Including 2006 and earlier?
A7. No. Of the two ActiveX control files identified above, one is maintained in common across versions of QuickBooks, but the other is specific to each QuickBooks version.
Therefore running an update for one of the recent versions of QuickBooks does not remove the potential vulnerability for an earlier version of QuickBooks.
________________________________________
FAQ8. I have one or more clients who are using a version of QuickBooks from outside the United States. What should I do?
A8. The U.S. version of QuickBooks has cousins developed for local markets in Canada, the United Kingdom, Australia, and South Africa. The security issue is being addressed for these versions too; for more information, see the Support websites for these versions. See also the list of versions in the question below, on “How do I make sure I have the patch?” In the answer, we list specific versions from these countries.
Websites for downloading the update for several countries are shown above. The following phone numbers are also available:
•    Canadian customers: 1-888-829-1722
•    U.K. customers: 0845 606 2161

Anticipated Questions Posted for All Users
For your reference, here are the FAQs posted for all users by Intuit about the security updates.
________________________________________
Q1. What if I’ve uninstalled one of these products and no longer use it? Do I still need the patch?
A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any affected version is still installed. Uninstalling all affected versions of the software will remove the vulnerability from your system.
________________________________________
Q2. How do I download and install the update?
A2. All users of an identified version of QuickBooks should download the security update at:
http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx. Canadian users can also download the update from: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
When the page appears:
1.    Choose your product by clicking the product selector link.
2.    Click the Update button to start the download and click Go.
3.    Select Open or Run This Program from its Current Location to begin installing the update immediately. Restarting your computer is not required.
4.    If you don’rt have time to install the update, you can select Save or Save This Program to Disk and the update file, called qbwebpatch.exe, will download to your hard drive. You’ll need to open that file to run the update.
________________________________________
Q3. How do I check that the security update has been applied?
A3. To make sure the patch has been applied and is installed on your system, open QuickBooks, and press the F2 key.  In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following:
•    QuickBooks 2009 R8 US
•    QuickBooks 2008 R10 US
•    QuickBooks 2007 R13 US
•    QuickBooks 2006 R12 UK
•    QuickBooks 2008 R12 UK
•    QuickBooks 2009 R6 CAN
•    QuickBooks 2008 R8 CAN
•    QuickBooks MC R24 CAN
•    QuickBooks 2009 French R6 CAN
•    QuickBooks 2007 French R7 CAN
•    QuickBooks 2009/10 AU (v18)
________________________________________
Q4. What operating systems are supported?
A4. The security update is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000.
[If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ]
Note: Intuit products for Apple MacOS X are not affected.
________________________________________
Q5: What if I have multiple Intuit products? Do I need to download and install the update for each one?
A5. If you have installed more than one identified version of Quickbooks, you should apply an update for each version.
________________________________________
Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security update?
A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security update.
________________________________________
Q7. I only use the Internet on a periodic basis. Do I still need to download the security update?
A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security update.
________________________________________
Q8. How do I ensure that my computer has not already been compromised?
A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer.  If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product.
________________________________________
Q9. I’m the administrator of my office network. Some machines have had QuickBooks installed at some point but don’t any longer, and aren’t getting automatic updates. What should I do to secure my network?
A9. If you have had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps to edit the Windows Registry. Please back up the Registry before you implement the following changes:
1.    Copy the following text to a file with the “.REG” suffix.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}]
“Compatibility Flags?=dword:00000400
2.    Import this into the registry by double-clicking on the .REG file and it will automatically be imported.  This will disable the affected ActiveX controls.
________________________________________
Q10. What if I use QuickBooks 2006 or a previous version?
A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products.