Quickbooks 2009 – Quickbooks 2012; in conjunction with Internet Explorer Versions 7-9
- The vulnerability described in this document can potentially be
code as the user viewing the malicious content.
- Intuit Help System Protocol File Retrieval:
- The vulnerability described in this document can be exploited by
which the user viewing the HTML has local or network file system
access. The attacker must know or guess the path and file name of the
target ZIP archive and the target file it contains. A further
significant limitation is that files in subdirectories inside of ZIP
archives have proven inaccessible, based on a sampling of Windows
ZIPs, Microsoft Office 2007 documents, JARs, and APKs.
No vendor response at the time of public release. More information with be posted has it becomes available.
The Microsoft Malware Protection Center has found a trojan downloader that does not have any suspicious routines in its initial state and is therefore difficult for virus scanners to detect. Once it has been started, the small Visual Basic program loads a web page for a Tibetan restaurant. The HTML for this site hides shell code that the program then downloads into RAMand executes.
Although the executable file, which Microsoft has labelled TrojanDownloader:Win32/Poison.A, only produces an error message on a computer not connected to the internet, once the malicious code has been successfully run it copies itself into a system folder and from there begins to keylog.
A modern virus scanner’s behaviour monitoring system should be alerted at this point. The spying functionality that is downloaded once an internet connection is present comes from the free “Poison Ivy” trojan builder tool, which can provide the payload directly as shell code.
Normally, a downloader pulls an executable file from the internet, saves it on the disk, and executes it – activity that should alert a virus scanner’s behaviour monitor. This example once again shows how important it is to install a virus scanner with a behaviour monitor.