Critical ActiveX flaw haunts LinkedIn toolbar

Critical ActiveX flaw haunts LinkedIn toolbar

Summary: Exploit code for an "extremely critical" LinkedIn Toolbar vulnerability has been posted on the Internet, putting users at risk of PC takeover attacks.

SHARE:
TOPICS: Security
9

Critical ActiveX flaw haunts LinkedIn toolbarThe flaw, which is not yet patched, was discovered by researchers at VDA Labs. A proof-of-concept demo has been released to show how a PC can be hijacked if a LinkedIn toolbar user is lured to a booby-trapped Web site.

The toolbar is marketed by the social network site to let users search LinkedIn directly from the browser and is available for both Internet Explorer and Firefox.

The vulnerability only affects IE versions of the toolbar.

A Secunia advisory offers details of the bug:

The vulnerability is caused due to an error within the IEToolbar.IEContextMenu.1 (LinkedInIEToolbar.dll) when handling the "Search()" method, which takes in a VARIANT as the "varBrowser" argument. This can be exploited to execute arbitrary code when a user visits a malicious website. The vulnerability is confirmed in version 3.0.2.1098. Other versions may also be affected.

In the absence of a patch, Secunia recommends setting the kill-bit for the affected ActiveX control. Or, better yet, uninstall the LinkedIn Toolbar.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Vista?

    Does it affect folks running Vista? Or are they protected even after insalling the buggy LinkedIn bits via protected mode?
    KTLA
    • Tested on xp sp2

      The exploit has only been tested/confirmed on XP SP2.

      _r
      Ryan Naraine
  • and that's why I don't allow 3rd party toolbars to install <nt>

    .
    Badgered
    • 100% agreed (nt)

      nt = no text
      CobraA1
  • oh active-x...do we really need you and your continual security holes?

    you have been associated with soooo many security holes it should make you blush.
    jjarman
    • "No"

      I think the answer is "No".

      In a sane society someone would be in jail over ActiveX and the way Microsoft created
      it to try and make an end run around their agreement with the DoJ.
      Resuna
      • Please explain

        Can you explain your logic? Do you even know what ActiveX is?
        Marty R. Milette
  • Toolbars waste of real estate

    Toolbars are a total waste of real estate on the browser, let alone the Bugs and what have you. I don't need something thats cutsey that is reporting back to some adware site or something.

    maybe its time to toss the Toolbar in the RECYCLE BIN ! I don't click on the additional MBs for a free tool bar.

    my inflated 99 cents worth :-)
    mark.holman
  • IE Toolbar vulnerability has been fixed

    I'm the Community Evangelist at LinkedIn. We released a fix yesterday that was pushed out to all of our users. The fix is required for users otherwise the toolbar shuts down.

    Also, there were no reports of malicious exploits.

    Let me know if you've any questions.
    mariosundar