In a move sure to fuel the debate over responsible disclosure, a pair of security researchers today posted public exploit code for a severe vulnerability affecting users of the Internet Explorer toolbar for business networking site LinkedIn.
The client-side ActiveX flaw, which garnered Secunia’s highest severity rating of "extremely critical," can permit an attacker to remotely execute arbitrary code, Jared DeMott, one of the vulnerability’s discoverers, told SCMagazine.com today.
Users are exploited when they visit a malicious website, according to a Secunia advisory. The bug is caused by an error in the toolbar when handling the "Search()" method.
DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn, which has more than 12 million members, hung up on him. That is when he knew the vulnerability would end "0-day style," he said.
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.
VDA Labs charges about $175 to $200 an hour for consulting and usually about $5,000 to purchase a significant zero-day flaw, DeMott said.
Kay Luo, spokeswoman for LinkedIn, told SCMagazine.com today that the company does not respond to researchers looking to profit off vulnerabilities.
She added that the only users affected are those who have downloaded the toolbar. The company does not release how many people use that feature.
"For it (the vulnerability) to be a risk, the user would have to be lured into navigating to a malicious website," Luo said. "Right now, we don’t have any reports of malicious exploits. We’re looking at it and taking it very seriously, but I think we’ll have it fixed shortly."
When LinkedIn did not respond to DeMott’s call, he said he had no choice but to publicly release the exploit.
"Releasing it..is absolutely a last resort for us," he said.
But after receiving no response from LinkedIn, DeMott said he was forced to "take the fame at that point and drop it 0-day style…The Russian mob could’ve downloaded it and drafted a code and be using it right now."
DeMott said he never sells vulnerabilities to non-U.S. or criminal buyers, nor does he do business with such bounty programs as VeriSign iDefense Labs and TippingPoint Zero Day Initiative over worries they might keep the vulnerability details, even if they reject the discoverer’s findings.
Both companies deny that.
Ken Dunham, senior engineer with the VeriSign iDefense Rapid Response Team, told SCMagazine.com today that vulnerability research remains the property of the discoverer "until VeriSign is able to purchase it and obtain legal ownership."
Terri Forslof, manager of security response at TippingPoint, said: "Any submission to the Zero Day Initiative program for which an agreement is not reached by both sides is immediately flushed from the system…A rejected submission is not even discoverable to us internally once it's been rejected."
DeMott said he relies on vendors either purchasing the bug or services from VDA Labs. DeMott understands how companies such as LinkedIn may think of his and Seitz's business model as questionable, but he said he is "not trying to do damage to them."
"I see both sides of it," he admitted "But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation."
Click here to email reporter Dan Kaplan.