The flaw, which is not yet patched, was discovered by researchers at VDA Labs. A proof-of-concept demo has been released to show how a PC can be hijacked if a LinkedIn toolbar user is lured to a booby-trapped Web site.
The toolbar is marketed by the social network site to let users search LinkedIn directly from the browser and is available for both Internet Explorer and Firefox.
The vulnerability only affects IE versions of the toolbar.
A Secunia advisory offers details of the bug:
The vulnerability is caused due to an error within the IEToolbar.IEContextMenu.1 (LinkedInIEToolbar.dll) when handling the "Search()" method, which takes in a VARIANT as the "varBrowser" argument. This can be exploited to execute arbitrary code when a user visits a malicious website. The vulnerability is confirmed in version 22.214.171.1248. Other versions may also be affected.
In the absence of a patch, Secunia recommends setting the kill-bit for the affected ActiveX control. Or, better yet, uninstall the LinkedIn Toolbar.