The client-side ActiveX flaw, which garnered Secunia’s highest severity rating of "extremely critical," can permit an attacker to remotely execute arbitrary code, Jared DeMott, one of the vulnerability’s discoverers, told SCMagazine.com.
Users are exploited when they visit a malicious website, according to a Secunia advisory. The bug is caused by an error in the toolbar when handling the "Search()" method.
DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn, which has more than 12 million members, hung up on him. That is when he knew the vulnerability would end "o-day style," he said.
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.
VDA Labs charges about US$175 to US$200 an hour for consulting and usually about US$5,000 to purchase a significant zero-day flaw, DeMott said.
Kay Luo, spokeswoman for LinkedIn, told SCMagazine.com that the company does not respond to researchers looking to profit off vulnerabilities.
She added that the only users affected are those who have downloaded the toolbar. The company does not release how many people use that feature.
"For it (the vulnerability) to be a risk, the user would have to be lured into navigating to a malicious website," Luo said. "Right now, we don’t have any reports of malicious exploits. We’re looking at it and taking it very seriously, but I think we’ll have it fixed shortly."
When LinkedIn did not respond to DeMott’s call, he said he had no choice but to publicly release the exploit.
"Releasing it..is absolutely a last resort for us," he said.
But after receiving no response from LinkedIn, DeMott said he was forced to "take the fame at that point and drop it o-day style...The Russian mob could’ve downloaded it and drafted a code and be using it right now."
DeMott said he never sells vulnerabilities to non-US or criminal buyers, nor does he do business with such bounty programs as VeriSign iDefense Labs and TippingPoint Zero Day Initiative over worries they might keep the vulnerability details, even if they reject the discoverer’s findings.
Neither an iDefense nor a TippingPoint representative could immediately be reached for comment today.
DeMott said he relies on vendors either purchasing the bug or services from VDA Labs. DeMott understands how companies such as LinkedIn may think of his and Seitz's business model as questionable, but he said he is "not trying to do damage to them."
"I see both sides of it," he admitted "But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation."
Researchers release LinkedIn bug 'o-day style'
By Dan Kaplan on Jul 25, 2007 9:48AM