U.S., Intuit Disagree on Critical QuickBooks Bugs

Two days after the federal government's cyberdefense arm warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers, the program's developer claimed it patched the bug almost six months ago.

According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT) on Tuesday, the ActiveX control that enables Intuit Inc.'s Web-based QuickBooks Online Edition (QBOE) contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.

Of the two bugs discovered and reported by US-CERT researcher Will Dormann, one not only let attackers seed a vulnerable Windows PC with malware, but allowed them to steal files from the machine.

Copenhagen-based vulnerability tracker Secunia ApS ranked the vulnerabilities "highly critical," its second-most serious threat rating.

On Thursday, Intuit confirmed that it had been told by US-CERT of the problem in January, but said the buggy ActiveX control had been patched sometime after that. It rolled the fix into a March 15 update to the Web service.

"We put out a new version of the software that took care of the issue," said Intuit spokeswoman Heather McLellen. "The next time users logged into their accounts, they were automatically upgraded to the new software, version 10. The only version that people have been using since then does not have this vulnerability."

QBOE is a Web-based subset of the traditional on-disk software, and uses a subscription pricing model that starts at US$19.95 per month. Customers log on and access their accounting data using Microsoft Corp.'s Internet Explorer browser.

"I don't know why US-CERT issued the advisory yesterday," said McLellen when asked about the move. "They reported the problem to us in January, and we had fixed it by March."

Yesterday, Intuit posted a new document to the QBOE support site that spells out the steps users who had not logged in since March 15 should take to protect their PCs from possible attack. "The only people who might still be at risk are non-active users," said McLellen.

The support document instructs former QBOE users to delete the software remaining on their systems using a Remove utility included with their original download, and urged others who had not logged in since March to do so now. "This process will prompt you to automatically download the newest version," the document read.

"Your QBOE data was never at risk and [was] secure at all times on our servers," Intuit said.

US-CERT did not return multiple calls asking for comment.