Small Business Susan

Dear Susan Bradley,

We’ve recently released a fix to address a potential security vulnerability within QuickBooks. The issue was related to the use of ActiveX technology in some versions of QuickBooks. On learning about the issue, we fixed the problem, tested the fixes within the identified versions of the software, and have released updates that will address the vulnerabilities. We are unaware of any customers affected.

Identified versions are the Windows desktop versions of Intuit® Quickbooks® 2007 through 2009 Simple Start, Pro, Premier and Enterprise Solutions 7.0, 8.0, and 9.0.

What Is ActiveX? ActiveX is a distributed object system and protocol technology developed by Microsoft. Microsoft updates its implementation of ActiveX controls from time to time through scheduled security updates. Many software and Web companies use ActiveX in their offerings.

Important: If exploited, this vulnerability could allow a hacker to access the data on the user’s computer. Therefore ProAdvisors will want to make sure that clients follow through with installing recent updates.

Requested Action. Where possible and appropriate, please encourage your clients to update their QuickBooks software.

Public Announcements. Clients who are registered owners of QuickBooks 2007, 2009, and 2009 are likely to receive direct notification from Intuit. Please be prepared to answer their questions and continue to encourage them to keep their versions of QuickBooks updated with the most current release.

Please remind all of your clients to keep their software updated. Not all QuickBooks users are registered with Intuit; some may not receive a direct notification.

With current releases, two ActiveX controls are now protected that would otherwise retain potential vulnerabilities:

1. HtmlHelper.dll
2. QBInstanceFinder.dll

For the identified versions of QuickBooks, enabling and approving automatic updates, or manually downloading the update and then applying the updates, will eliminate potential risk.

For information on the most recent updates available for QuickBooks 2007, 2008, and 2009, including access to manual downloads, can be found at this link; users are asked to identify the product they need to update:

http://support.quickbooks.intuit.com/support/productupdates.aspx

Some clients may appreciate a reminder where they can learn more about the most current releases for their U.S. products.

Versions in Other Countries

In rare cases, some U.S. ProAdvisors may have clients who work with a Canadian or United Kingdom version of QuickBooks. Information on these versions follows:

Canadian customers can download the patch from these sites:

• QuickBooks: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
• SuccesPME customers can download the patch from: http://support.intuit.ca/succespme/fr-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html

United Kingdom customers can download the patch from this site:

• http://support.intuit.co.uk/quickbooks/en-gb/kb/update/update-quickbooks-to-new-product-update/Update_main.html

Technical Support Contact Information

QuickBooks ProAdvisors looking for technical support are directed to the support site for accounting professionals at

• http://accountant.intuit.com/support/support.aspx

Technical support for non-U.S. versions of QUickBooks can be found following:

• Canadian customers please visit us at
  http://support.intuit.ca/quickbooks/index.jsp
• French Canadian customers please visit us at
  http://support.intuit.ca/succespme/index.jsp
• U.K. customers please visit us at
  http://support.intuit.co.uk/quickbooks/index.jsp

As a further precaution, we will coordinate release of this information with US-CERT (http://www.cert.org) and with Microsoft, for a future release within their regular security updates for ActiveX control configuration.

However, at this time, downloading Intuit’s patch is the only immediate way to eliminate the vulnerability in our currently supported versions of QuickBooks.

We may not say it often enough, but thanks for helping clients get the most out of QuickBooks software. We greatly appreciate the role you play in providing your clients with a superior experience using QuickBooks.

As to the current issue, we have included some FAQs for your reference.

Sincerely,

~ Your ProAdvisor Team,

Questions Specific to Your Role as ProAdvisor

We know you are likely to be running multiple versions of the software, each in its own directory. As much as possible, the following questions have been posed and answered in anticipation of your needs in supporting multiple clients on multiple versions of QuickBooks. We also include some additional questions that clients may have for you that are not directly addressed in the security alert that will be coming their way.

Several terms used: Intuit updates its software from time to time by releasing software patches. Each update or patch is given a Release number for easy identification. In the notes that follow, you may see the term update, release, or patch, depending on the context, used interchangeably.

FAQ1. Are any other Intuit products subject to this vulnerability?

A1. At this time and to the best of our knowledge, other Intuit products do not have this vulnerability. If we learn otherwise, we will provide further guidance as soon as possible.

FAQ2. Does this issue affect QuickBooks 2010?

A2. No. Neither QuickBooks 2010, nor Enterprise Solutions 10.0, released in September 2009, are exposed to this vulnerability. Of course, we still encourage users to accept the most current releases for the software.

FAQ3. What are the updates or releases that are required for 2007, 2008, and 2009?

A3. Releases are cumulative in nature, and over time the most current release will have even a higher number. But for each of the following versions of QuickBooks, the release number shown marks the first introduction of the resolution of the security vulnerability:

• QuickBooks 2009: R8
• QuickBooks 2008: R10
• QuickBooks 2007: R13

The updates are also requested for the following versions of Enterprise Solutions: 7.0, 8.0, and 9.0.

FAQ4. What if I have multiple Intuit products? Do I need to download and install the patch for each one?

A4. If you have installed more than one of the identified versions of Quickbooks (2007-2009), you should apply patches for each version. This is because there are unique updates for each version to address the HtmlHelper.dll file. (The QBInstanceFinder.dll file is in the Common Programs folder, and one update will update all installed versions for that DLL file.)

FAQ5. Are older versions of QuickBooks, that is, QuickBooks 2006 or earlier, subject to the ActiveX vulnerability?

A5: Yes. Because these earlier versions are no longer supported, Intuit is unable to provide a tested solution to the vulnerability. See also the next two related questions.

FAQ6. What if my client is still running an earlier, nonsupported version of QuickBooks?

A6. Intuit strongly recommends that all users move to a currently supported version of QuickBooks. This recommendation will be clearly stated in the Intuit communications going to your clients on the topic. The Frequently Asked Questions that are meant to be posted for the benefit of QuickBooks users will also identify this need in the face of the potential vulnerability of QuickBooks 2006 and earlier.

This means that there is no good solution to recommend to clients who continue to run QuickBooks 2006 and earlier, and the ProAdvisors who may grudgingly support them. Possibly the potential vulnerability will encourage such clients to upgrade at this time.

So-Called “Kill Bit” Solution Not Recommended. In the case of systems administrators of networks where QuickBooks may have once been installed but is no longer used, Intuit has prepared some instructions that involve editing the Registry to disable calls to the Internet Browser. See here. Sometimes this approach is informally called the “kill bit” solution.

• NOT Recommended for Clients. This solution is not recommended for clients running an earlier version of QuickBooks. Besides the riskiness of editing the Windows registry, the kill bit solution has not been tested in earlier versions and could possibly interfere with some areas of functionality.
• Especially NOT Recommended for ProAdvisors. For ProAdvisors running multiple versions of QuickBooks, including QuickBooks 2006 and earlier, the kill bit solution is not recommended for the above reasons and also because the solution would also disable one of the DLL files used by ALL versions of QuickBooks, including those otherwise updated.

Developing: Please understand that Microsoft continues to work on security updates for its ActiveX implementation, so more general solutions may be forthcoming from that source. If so, those general solutions may address vulnerabilities in QuickBooks 2006 and earlier.

FAQ7. If I run an update for QuickBooks 2007, 2008, or 2009, won’t that resolve the problem for ALL versions using the ActiveX controls? Including 2006 and earlier?

A7. No. Of the two ActiveX control files identified above, one is maintained in common across versions of QuickBooks, but the other is specific to each QuickBooks version.

Therefore running an update for one of the recent versions of QuickBooks does not remove the potential vulnerability for an earlier version of QuickBooks.

FAQ8. I have one or more clients who are using a version of QuickBooks from outside the United States. What should I do?

A8. The U.S. version of QuickBooks has cousins developed for local markets in Canada, the United Kingdom, Australia, and South Africa. The security issue is being addressed for these versions too; for more information, see the Support websites for these versions. See also the list of versions in the question below, on “How do I make sure I have the patch?” In the answer, we list specific versions from these countries.

Websites for downloading the update for several countries are shown above. The following phone numbers are also available:

• Canadian customers: 1-888-829-1722
• U.K. customers: 0845 606 2161

Anticipated Questions Posted for All Users

For your reference, here are the FAQs posted for all users by Intuit about the security updates.

Q1. What if I’ve uninstalled one of these products and no longer use it? Do I still need the patch?

A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any affected version is still installed. Uninstalling all affected versions of the software will remove the vulnerability from your system.

Q2. How do I download and install the update?

A2. All users of an identified version of QuickBooks should download the security update at:

http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx. Canadian users can also download the update from: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html

When the page appears:

1. Choose your product by clicking the product selector link.
2. Click the Update button to start the download and click Go.
3. Select Open or Run This Program from its Current Location to begin installing the update immediately. Restarting your computer is not required.
4. If you don’rt have time to install the update, you can select Save or Save This Program to Disk and the update file, called qbwebpatch.exe, will download to your hard drive. You’ll need to open that file to run the update.

Q3. How do I check that the security update has been applied?

A3. To make sure the patch has been applied and is installed on your system, open QuickBooks, and press the F2 key.  In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following:

• QuickBooks 2009 R8 US
• QuickBooks 2008 R10 US
• QuickBooks 2007 R13 US
• QuickBooks 2006 R12 UK
• QuickBooks 2008 R12 UK
• QuickBooks 2009 R6 CAN
• QuickBooks 2008 R8 CAN
• QuickBooks MC R24 CAN
• QuickBooks 2009 French R6 CAN
• QuickBooks 2007 French R7 CAN
• QuickBooks 2009/10 AU (v18)

Q4. What operating systems are supported?

A4. The security update is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000.

[If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ]

Note: Intuit products for Apple MacOS X are not affected.

Q5: What if I have multiple Intuit products? Do I need to download and install the update for each one?

A5. If you have installed more than one identified version of Quickbooks, you should apply an update for each version.

Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security update?

A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security update.

Q7. I only use the Internet on a periodic basis. Do I still need to download the security update?

A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security update.

Q8. How do I ensure that my computer has not already been compromised?

A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer.  If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product.

Q9. I’m the administrator of my office network. Some machines have had QuickBooks installed at some point but don’t any longer, and aren’t getting automatic updates. What should I do to secure my network?

A9. If you have had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps to edit the Windows Registry. Please back up the Registry before you implement the following changes:

1. Copy the following text to a file with the “.REG” suffix.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}]
“Compatibility Flags?=dword:00000400

2. Import this into the registry by double-clicking on the .REG file and it will automatically be imported.  This will disable the affected ActiveX controls.

Q10. What if I use QuickBooks 2006 or a previous version?

A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products.