Software Engineering Institute

Derek Soeder's vulnerability report states the following:

Intuit Help System Protocol File Retrieval
The vulnerability described in this document can be exploited by malicious HTML and Javascript to retrieve a file from a ZIP archive to which the user viewing the HTML has local or network file system access. The attacker must know or guess the path and file name of the target ZIP archive and the target file it contains. A further significant limitation is that files in subdirectories inside of ZIP archives have proven inaccessible, based on a sampling of Windows ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

Intuit Help System Protocol URL Heap Corruption and Memory Leak
The vulnerability described in this document can potentially be exploited by malicious HTML and/or Javascript to execute arbitrary code as the user viewing the malicious content.

Additional details may be found in the full advisories linked above.

An attacker may be able to retrieve sensitive files or run arbitrary code.

QuickBooks 2008 through 2012 will automatically update to address this vulnerability. If you are unable to apply the latest updates, please consider the following workaround.

Disable the Intuit Help System protocol

Delete, rename, or restrict read access to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Classes\PROTOCOLS\Handler\intu-help-qb#

Where '#' is a digit from 1 to 5, or delete, rename, or restrict execute access to the "HelpAsyncPluggableProtocol.dll" file in the QuickBooks installation directory, and then restart Internet Explorer and any application that uses it as an embedded Web browser. Note that disabling the protocol will prevent QuickBooks from displaying help pages.