log4j Vulnerability

As you learn to deal with this, Quicken, please advise your customers on how to protect themselves from the consequences of this Java based vulnerability in the Quicken context.

Comments

  • Steve54@
    [email protected] Member ✭✭
    edited December 2021
    It is concerning that Quicken doesn't have a prominent statement on log4j. [Removed-Disruptive/Speculation]
    Trust but verify!!!
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Just so people know what is going on with log4j so I will explain.

    log4j is a popular open-source program for monitoring server activity.
    And yes, it is written in Java.  And they have found problems that allow a hacker to run programs on those servers by sending certain messages to it.

    Quicken "the program" doesn't use log4j or Java for that matter, so it isn't "Quicken" that might be at risk.

    Now clearly Quicken Inc has servers for the "Quicken Connection Services" (Quicken Cloud data set), website, and of course is paying Intuit for Express Web Connect (+) services that have servers too.  Not to mention that it seems like Quicken's servers are on AWS (Amazon Web Services).

    Direct Connect or Web Connect shouldn't be affected at all, but Sync to Mobile/Web and Express Web Connect (+) may be in the crosshairs if they are using this utility on the servers that are maintaining the Quicken data.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Quicken Kathryn
    Quicken Kathryn Administrator admin
    edited December 2021
    Hi All,
    First, thanks, @Chris_QPW for the summary!  After this vulnerability was exposed, our security team  reviewed all of our systems and third-party partners, and we've verified that we are not impacted by the log4j issue.  

    In addition, we've added additional logging and security to mitigate any potential future vulnerabilities, and reviewed our system logs to verify that there were no breaches of any kind.

    As for dealing with this in the future, while there are no vulnerabilities in Quicken, the primary way of exploiting this issue appears to be via phishing attempts, so as always, keep an eye out for odd emails and be wary of clicking links or attachments from senders you aren't sure of.  

    Hope this helps--
    Quicken Kathryn
    Community Administrator
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    @Quicken Kathryn thanks for the update.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.