• PC World
• »Software

The U.S. federal government's cyberdefense arm Wednesday warned users of the popular QuickBooks small business accounting software that they risk losing data and control of their PCs to hackers.

According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT), the ActiveX control that enables Intuit Inc.'s QuickBooks Online Edition contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.

Of the two bugs discovered and reported by US-CERT researcher Will Dormann, the one spelled out here is the most dangerous. Not only could attackers seed a vulnerable Windows PC with malware, said Dormann, but "an attacker can also retrieve arbitrary files from a victim's computer."

Danish vulnerability tracker Secunia ranked the vulnerabilities "highly critical," its second-most serious threat rating.

QuickBooks Online Edition is a Web-based subset of the traditional on-disk software, and uses a subscription pricing model that starts at US$19.95 per month. According to Dormann, version 9, and possibly those prior to that, contain the ActiveX vulnerabilities. US-CERT recommended that users update to version 10 as soon as possible, or failing that, set the so-called "kill bit" to disable the control. Doing that, however, means that users won't be able to access QuickBooks Online through Microsoft Corp.'s Internet Explorer, the only browser supported by the service.

Intuit's support site showed no mention of the bugs Wednesday. Ironically, one of the documents in the Online Edition's support database, entitled "What is the ActiveX control for and is it safe?" includes the line: "The short answer is yes, our control is safe."

ActiveX vulnerabilities in non-Microsoft products are nothing new, of course. Just over a month ago, for example, a critical ActiveX flaw was spotted in Yahoo Widgets, a development platform that runs small, Web-based, gadget-like applications on Windows' desktop.