Intuit - Important Security Update

To Our Customers:

Intuit is notifying customers that we have identified, and created a solution for, a potential security vulnerability in some of our Windows-based tax, consumer and small business software.

The risk involves AnswerWorks software, which is licensed from Vantage and developed on Microsoft's ActiveX platform. It's used in the “Help” feature of the affected Intuit products.

We know of no cases where someone has taken advantage of this vulnerability. However, if exploited, it could allow a hacker to access the data on your computer. Downloading the update below will eliminate this vulnerability, so it's important for every customer to install.

The vulnerability involves code that's part of the “Help” function in the following Intuit products.

U.S. Products

TurboTax
TurboTax - tax years 2003-2006
Quicken
Quicken Personal Finance Software - 2008
Professional Tax and Accounting Products
ProSeries and ProSeries Express - tax years 2003-2006
QuickBooks: Premier Accountant Edition - versions 2005-2007
QuickBooks Product Line
QuickBooks Basic, Simple Start, Pro, Premier and Enterprise - versions 2005-2007
Innovative Merchant Solutions
QuickBooks Credit Card Processing Kit - all versions
Invoice Manager - all versions

Canadian Products

QuickBooks Product Line
QuickBooks (English) - versions 2003-2007
QuickBooks (French) SuccèsPME, and Logiciel Comptable - versions 2003-2007
QuickTax and ImpôtRapide
QuickTax (English) - tax years 2003-2006
ImpôtRapide - tax years 2003-2006
Quicken
Personal Finance Software - 2008

U.K. Products

QuickBooks
QuickBooks versions - 2003-2008
Versions included in Barclay's Business Manager
Clearly Bookkeeping
Clearly Bookkeeping versions - 2003-2004

What You Need To Do

If you have ever installed any of these products on your computer you should download and install Intuit's patch, which will immediately eliminate the vulnerability.
(Note: For a French version of the patch, click here.) The patch is approximately 1MB and should download in about 20 seconds on broadband connections.

As a further precaution, this patch is scheduled to be released with Microsoft's next Windows Security Update planned for Dec 11. Of course, downloading Intuit's patch is the most immediate way to eliminate the vulnerability.

We apologize for the inconvenience this may cause.

Technical Support Contact Information

If you encounter any problems installing the patch, please call:

U.S. customers: 1-800-4-INTUIT (1-800-446-8848)
Canadian customers: 1-888-829-1722
U.K. customers: 0845 606 2161

Questions and Answers

Q1.	What if I've uninstalled one of these products and no longer use it? Do I still need the patch?
A1.	As a precaution, we recommend that customers who have installed any of the above products download the patch, which fixes a program called AnswerWorks, a third-party software package used by Intuit and other software companies. This action will eliminate the vulnerability in the event that other software on your computer is also using the affected versions of AnswerWorks. If you have uninstalled Intuit's products and prefer instead to verify that the affected versions of AnswerWorks are not on your computer, please follow the steps below. If the affected versions are not on your computer, no patch is necessary. To determine if AnswerWorks Version 4.0 or Version 5.0 is installed: Right-Click on your “Start” menu and select “Explore.” Open the following folders in order: Local Disk (C:) > Program Files > Common Files. (Note: You may receive a message when you open your Program Files folder that “These Files are Hidden.” Go ahead and click on the “Show the Contents of This Folder” link.) If you find a folder called “AnswerWorks 4.0” or “AnswerWorks 5.0” in your Common Files directory, Intuit strongly recommends that you apply the patch.
Q2.	How do I download and install the patch?
A2.	All affected users of Intuit products should download the security patch. When the page appears: Click the “Download” button to start the download, or choose a different language from the drop-down list and click “Go.” Select “Open” or “Run This Program From its Current Location” to begin installing the patch immediately. Restarting your computer is not required. If you don't have time to install the patch, you can select “Save” or “Save This Program to Disk” and the patch file, called “awMinimalPatchEnglish.msi” will download to your hard drive. To finish the installation, you'll need to open that file to run the patch.
Q3.	How do I check that the security patch has been applied?
A3.	To make sure the patch as been applied and that either AnswerWorks 4.0 or AnswerWorks 5.0 are installed on your system, do the following: If the security patch has been applied, the AnswerWorks 4.0 control will be at file version 4.0.0.101 or 4.0.0.102. You can check the version number by following these steps: Right-click on your “Start” menu and select “Explore.” Open the following folders in order: Local Disk (C:) > Program Files > Common Files. (Note: You may receive a message when you open the Program Files folder that “These files are hidden.” Go ahead and click on the “Show the Contents of This Folder” link.) If you find a folder called “AnswerWorks 4.0,” open it. Right-click on the AWAPI4.dll (or AWAPI4) file and select “Properties.” Click the “Version” tab. If the file version is 4.0.0.101 or 4.0.0.102 the patch was installed successfully. If the security patch has been applied, the AnswerWorks 5.0 control will be at file version 5.0.0.7 or higher. You can check the version number by following these steps: Use Windows Explorer to navigate to the directory - c:\Program Files\Common Files\AnswerWorks 5.0. Right-click on the AWAPI5.dll file and select “Properties.” Click the “Version” tab. Check that the File version is 5.0.0.7. If it is, this patch was installed correctly.
Q4.	What operating systems are supported?
A4.	The security patch is available for all operating systems used by affected Intuit applications: Windows XP, Windows Vista, and Windows 2000. If you are running Windows 98 or Windows ME, you need to have Internet Explorer 6.0 or later installed before you can install the update. Go to the Internet Explorer Products Download Web page to install a more recent version of IE. Note: Intuit products for Apple MacOS X are not affected.
Q5.	What if I have multiple Intuit products? Do I need to download and install the patch for each one?
A5.	No, the security vulnerability is in a shared software component that is used by several Intuit products, as well as other software packages which may be installed on your computer. By downloading and installing the security patch once, you eliminate the vulnerability for all products, Intuit as well as others.
Q6.	I still have a trial version of TurboTax installed on my system. Do I still need to apply the security patch?
A6.	Yes. If you have any trial versions of TurboTax installed on your system from tax years 2003-2006, you should download and install the security patch.
Q7.	I only use the Internet on a periodic basis. Do I still need to download the security patch?
A7.	Yes. If you installed any of the affected products on your computer, the vulnerability poses a security risk regardless of whether you are currently connected to the Internet. We recommend that all affected users download and install the security patch.