Bad Guys Are ActiveX With Your Money
If you're running Intuit's popular QuickBooks Online Edition, the US Computer Emergency Readiness Team is warning you that your ActiveX controls might be stabbing you in the back,at least if you visit a malicious webpage. Computer Emergency Readiness Team? That's what CERT stand for? Are they like code ninjas? Does someone project an html signal onto a cloud at night to summon them? Never mind. Fix your ActiveX controls.
The vulnerabilities, rated “highly critical” by Secunia, can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
“By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash,” according to the US-CERT alert.
If someone steals one of your credit card numbers online, you have a problem. If someone steals all that sensitive financial and tax information you put into QuickBooks, you might as well live in a tent and grow your own food from then on in. There's an update available from Intuit here.
