Critical ActiveX flaw haunts LinkedIn toolbar

Exploit code for an "extremely critical" LinkedIn Toolbar vulnerability has been posted on the Internet, putting users at risk of PC takeover attacks.

Critical ActiveX flaw haunts LinkedIn toolbar
The flaw, which is not yet patched, was discovered by researchers at VDA Labs. A proof-of-concept demo has been released to show how a PC can be hijacked if a LinkedIn toolbar user is lured to a booby-trapped Web site.

The toolbar is marketed by the social network site to let users search LinkedIn directly from the browser and is available for both Internet Explorer and Firefox.

The vulnerability only affects IE versions of the toolbar.

A Secunia advisory offers details of the bug:

The vulnerability is caused due to an error within the IEToolbar.IEContextMenu.1 (LinkedInIEToolbar.dll) when handling the "Search()" method, which takes in a VARIANT as the "varBrowser" argument. This can be exploited to execute arbitrary code when a user visits a malicious website. The vulnerability is confirmed in version 3.0.2.1098. Other versions may also be affected.

In the absence of a patch, Secunia recommends setting the kill-bit for the affected ActiveX control. Or, better yet, uninstall the LinkedIn Toolbar.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All