Quickbooks ActiveX Controls
To our Customers:
Intuit has identified, and created a solution for, a potential security vulnerability in some of our Quickbooks desktop software (2009 and older supported versions). We know of no cases where someone has taken advantage of this vulnerability. However, if exploited, it could allow a cyber criminal to access the data on your computer. Downloading the update and applying these product updates will eliminate this vulnerability, so it’s important for every customer to install this update.
Two ActiveX controls were affected. These are HtmlHelper.dll and QBInstanceFinder.dll.
Identified versions: These vulnerabilities affect several versions of Intuit Quickbooks products that should receive updates. The identified versions of these Quickbooks products are:
- QuickBooks Product Line
QuickBooks Simple Start, Pro, Premier and Enterprise – versions 2007 - 2009
- QuickBooks 2009 (both English and French editions)
- QuickBooks 2008
- QuickBooks Multicurrency Edition
- QuickBooks 2007 (French edition only)
U.K. Products—these products have already been patched
- UK & South Africa (note that there was no QB 2009 for the UK)
- QuickBooks 2008 R12
- Quickbooks 2006, R12
- QuickBooks 2009/10 AU (v18)
QuickBooks 2010 in the U.S. and Canada, released in September 2009, is not affected by this vulnerability. Other Intuit products, at this time and to the best of our knowledge, do not have this vulnerability. If we learn otherwise, we will provide further guidance at that time.
Intuit has already released an automatic patch which may have been applied. If the security patch has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following:
- QuickBooks 2009 R8 US
- QuickBooks 2008 R10 US
- QuickBooks 2007 R13 US
- QuickBooks 2006 R12 UK
- QuickBooks 2008 R12 UK
- QuickBooks 2009 R6 CAN
- QuickBooks 2008 R8 CAN
- QuickBooks MC R24 CAN
- QuickBooks 2009 French R6 CAN
- QuickBooks 2007 French R7 CAN
- QuickBooks 2009/10 AU (v18)
If the patch was not automatically applied, it is very important for you to apply the patch now.
What You Need To Do
If you have ever installed any of the identified products on your computer you should download and install Intuit’s patch, which will immediately eliminate the vulnerability.
US customers can download the patch from: http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx
Canadian customers can download the patch from: QuickBooks: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
SuccesPME customers can download the patch from: http://support.intuit.ca/succespme/fr-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
For UK customers, this fix was released in R12 which you should already have installed. If not, install the patch from: http://support.intuit.co.uk/quickbooks/en-gb/kb/update/update-quickbooks-to-new-product-update/Update_main.html
As a further precaution, we will coordinate release of this information with US-CERT and with Microsoft, for a future release within their regular security updates for ActiveX control configuration. Downloading Intuit’s patch is the most immediate way to eliminate the vulnerability.
We apologize for any inconvenience this may cause.
Technical Support Contact Information
If you encounter any problems installing the patch:
- U.S. customers please visit us at:
- Canadian customers please visit us at:
- French Canadian customers please visit us at:
- U.K. customers please visit us at:
Questions and Answers About the ActiveX Control Vulnerability
Q1. What if I’ve uninstalled one of these products and no longer use it? Do I still need the patch?
A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any identified version is still installed. Uninstalling all identified versions of the software will remove the vulnerability from your system. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software last.
Q2. How do I download and install the patch?
A2. All users of an identified version of Quickbooks should download the security patch at: http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx. Canadian users can also download updates from: http://support.intuit.ca/quickbooks/en-ca/kb/update/update-quickbooks-to-new-product-update/Update_main.html
When the page appears:
- Choose your product by clicking the product selector link.
- Click the “Update” button to start the download and click “Go.”
- Select “Open” or “Run This Program From its Current Location” to begin installing the patch immediately. Restarting your computer is not required.
- If you don’t have time to install the patch, you can select “Save” or “Save This Program to Disk” and the patch file, called qbwebpatch.exe, will download to your hard drive. You’ll need to open that file to run the patch.
Q3. How do I check that the security patch has been applied?
A3. To make sure the patch has been applied and is installed on your system, do the following:
If the security patch has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the patches applied are the following:
QuickBooks 2009 R8 US
QuickBooks 2008 R10 US
QuickBooks 2007 R13 US
QuickBooks 2006 R12 UK
QuickBooks 2008 R12 UK
QuickBooks 2009 R6 CAN
QuickBooks 2008 R8 CAN
QuickBooks MC R24 CAN
QuickBooks 2009 French R6 CAN
QuickBooks 2007 French R7 CAN
QuickBooks 2009/10 AU (v18)
Q4. What operating systems are supported?
A4. The security patch is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000. [If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ] Note: Intuit products for Apple MacOS X are not affected.
Q5. What if I have multiple Intuit products? Do I need to download and install the patch for each one?
A5. If you have installed more than one identified version of Quickbooks, you should apply patches for each version.
Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security patch?
A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security patch.
Q7. I only use the Internet on a periodic basis. Do I still need to download the security patch?
A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security patch.
Q8. How do I ensure that my computer has not already been compromised?
A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer. If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product.
Q9. I’m the administrator of my office network. Some machines have had QuickBooks installed at some point but don’t any longer, and aren’t getting automatic updates. What should I do to secure my network?
A9. If you’d had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps:
- Copy the following text to a file with the “.REG” suffix.
Windows Registry Editor Version 5.00
- Import this into the registry by double clicking on the .Reg file and it will automatically be imported. This will disable the affected ActiveX controls.
Q10. What if I use QuickBooks 2006 or a previous version?
A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products.
For additional information please contact Intuit at firstname.lastname@example.org