Posted by: Robert Westervelt
Application Security, Information Security Threats
Security researchers have discovered a flaw in a toolbar issued by the popular business networking site LinkedIn that could allow an attacker to conduct a denial of service attack or take complete control of an affected system.
The LinkedIn toolbar is used in conjunction with Microsoft Internet Explorer to conduct a search for contacts and connect users to the LinkedIn network.
Danish vulnerability clearinghouse Secunia rated the flaw “highly critical” in its SA26181 advisory because attackers can exploit the flaw remotely. A working exploit code is publicly available and the flaw remains unpatched, Secunia said.
According to the researchers that discovered the flaw, Jared DeMott and Justin Seitz, of Rockford, Mich.-based VDA Labs, the flaw can be easily exploited.
“If a user, with the LinkedIn toolbar installed, is tricked into browsing a website that contains the above code — game over,” the researchers said in their advisory.
The French Security Incident Response Team (FrSIRT) said the issue is caused by a buffer overflow error in the toolbar ActiveX control when processing malformed arguments passed to the “search()” method.
The research firms said users can set the kill-bit for the affected ActiveX control as a temporary workaround until a patch is released.