Was this page helpful?
Thank you!

Comments or suggestions?



Enter Email Address (optional)
email

Security Information

To our Customers:

Intuit has identified, and created a solution for, a potential security vulnerability in some of our Quickbooks desktop software (2009 and older supported versions). We know of no cases where someone has taken advantage of this vulnerability. However, if exploited, it could allow a cyber criminal to access the data on your computer. Downloading the update and applying the product update will eliminate this vulnerability, so it’s important for every customer to install this update.

Two ActiveX controls were affected. These are HtmlHelper.dll and QBInstanceFinder.dll.

Identified versions: These vulnerabilities affect several versions of Intuit Quickbooks products that should receive updates. The identified versions of these Quickbooks products are:

U.S. Products

  • QuickBooks Product Line
  • QuickBooks Simple Start, Pro, Premier and Enterprise – versions 2007 - 2009

Canadian Products

  • QuickBooks 2009 (both English and French editions)
  • QuickBooks 2008 QuickBooks Multicurrency Edition
  • QuickBooks 2007 (French edition only)

U.K. Products—these products have already been updated

  • UK & South Africa (note that there was no QB 2009 for the UK)
  • QuickBooks 2008 R12
  • Quickbooks 2006, R12

Australian Products

  • QuickBooks 2009/10 AU (v18)

 

QuickBooks 2010 in the U.S. and Canada, released in September 2009, is not affected by this vulnerability. Other Intuit products, at this time and to the best of our knowledge, do not have this vulnerability. If we learn otherwise, we will provide further guidance at that time.

Intuit has already released an automatic update which may have been applied. If the security update has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the updates applied are the following:

QuickBooks 2009 R8 US
QuickBooks 2008 R10 US
QuickBooks 2007 R13 US
QuickBooks 2006 R12 UK
QuickBooks 2008 R12 UK
QuickBooks 2009 R6 CAN
QuickBooks 2008 R8 CAN
QuickBooks MC R24 CAN
QuickBooks 2009 French R6 CAN
QuickBooks 2007 French R7 CAN
QuickBooks 2009/10 AU (v18)

If the update was not automatically applied, it is very important for you to apply the update now.

What You Need To Do
If you have ever installed any of the identified products on your computer you should download and install Intuit’s update, which will immediately eliminate the vulnerability.

US customers can download the update from: http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx

For UK customers, this fix was released in R12 which you should already have installed. If not, install the update from: http://support.intuit.co.uk/quickbooks/en-gb/kb/update/update-quickbooks-to-new-product-update/Update_main.html

As a further precaution, we will coordinate release of this information with US-CERT (http://www.cert.org) and with Microsoft, for a future release within their regular security updates for ActiveX control configuration. Downloading Intuit’s update is the most immediate way to eliminate the vulnerability.

We apologize for any inconvenience this may cause.

Technical Support Contact Information
If you encounter any problems installing the update:

U.S. customers please visit us at http://support.quickbooks.intuit.com/support/default.aspx

Canadian customers please visit us at: http://support.intuit.ca/quickbooks/index.jsp

French Canadian customers please visit us at: http://support.intuit.ca/succespme/index.jsp

U.K. customers please visit us at http://support.intuit.co.uk/quickbooks/index.jsp

 

Questions and Answers

Q1. What if I’ve uninstalled one of these products and no longer use it? Do I still need the update?
A1. If you have uninstalled QuickBooks, you should not be vulnerable to these vulnerabilities. If you have installed multiple versions of QuickBooks, you will be vulnerable if any identified version is still installed. Uninstalling all identified versions of the software will remove the vulnerability from your system. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software last.

Q2. How do I download and install the update?
A2. All users of an identified version of Quickbooks should download the security update at:
http://support.quickbooks.intuit.com/Support/ProductUpdates.aspx.

When the page appears:

  1. Choose your product by clicking the product selector link.
  2. Click the “Update” button to start the download and click “Go.”
  3. Select “Open” or “Run This Program From its Current Location” to begin installing the update immediately. Restarting your computer is not required.
  4. If you don’t have time to install the update, you can select “Save” or “Save This Program to Disk” and the update file, called qbwebpatch.exe, will download to your hard drive. You’ll need to open that file to run the update.
     

Q3. How do I check that the security update has been applied?
A3. To make sure the update has been applied and is installed on your system, do the following:

If the security update has been applied, the QuickBooks release level will be updated to the latest version. To get this information, open QuickBooks, and press the F2 key. In the display, you should see the product version information in the first line. Versions of QuickBooks with the updates applied are the following:

  • QuickBooks 2009 R8 US
  • QuickBooks 2008 R10 US
  • QuickBooks 2007 R13 US
  • QuickBooks 2006 R12 UK
  • QuickBooks 2008 R12 UK
  • QuickBooks 2009 R6 CAN
  • QuickBooks 2008 R8 CAN
  • QuickBooks MC R24 CAN
  • QuickBooks 2009 French R6 CAN
  • QuickBooks 2007 French R7 CAN
  • QuickBooks 2009/10 AU (v18)

 

Q4. What operating systems are supported?
A4. The security update is available for all operating systems used by any identified versions of the Quickbooks applications: Windows XP, Windows Vista, and Windows 2000.
[If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer 6 Downloads Web page to install a more recent version of IE. ]
Note: Intuit products for Apple MacOS X are not affected.

Q5. What if I have multiple Intuit products? Do I need to download and install the update for each one?
A5. If you have installed more than one identified version of Quickbooks, you should apply an update for each version.

Q6. I still have a trial version of Quickbooks installed on my system. Do I still need to apply the security update?
A6. Yes. If you have any trial versions of one of the identified versions of Quickbooks installed on your system, you should download and install the security update.

Q7. I only use the Internet on a periodic basis. Do I still need to download the security update?
A7. Yes. If you installed an identified version of Quickbooks on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all users of an identified version download and install the security update.

Q8. How do I ensure that my computer has not already been compromised?
A8. If you have anti-virus software installed and have updates run automatically, the anti-virus software should detect the presence of any malware on your computer. If you want to determine if your computer has malware on it, run a complete scan of your computer using an anti-virus software product.

Q9. I’m the administrator of my office network. Some machines have had QuickBooks installed at some point but don’t any longer, and aren’t getting automatic updates. What should I do to secure my network?
A9. If you’d had QuickBooks installed on some computers at some point, and are no longer running QuickBooks on those machines and receiving automatic updates, you can secure these machines by following these steps:

  1. Copy the following text to a file with the “.REG” suffix.
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{596801D8-2C9D-4627-9C67-195CB81B655A}]
    "Compatibility Flags"=dword:00000400


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{03C3A013-02F2-4e56-87A8-B74A7C5DC75B}]
    "Compatibility Flags"=dword:00000400
  2. Import this into the registry by double clicking on the .Reg file and it will automatically be imported. This will disable the affected ActiveX controls.
     

Q10. What if I use QuickBooks 2006 or a previous version?
A10. Intuit wants your data to be safe. We recommend you upgrade to a newer version of QuickBooks (2007 or later) as soon as possible and follow the instructions to update that version. QuickBooks 2006 and prior versions are no longer supported and Intuit does not release updates for these products
 

KB ID# INF13462
12/7/2016 8:26:45 AM
PPRDQSSWS403 9138 Pro 2017 455bc9