Check Point identified a vulnerability in LinkedIn’s messenger service that could allow an attacker to exploit and then spread malicious files masquerading as a resume or other legitimate files (such as doc, xls, ppt files).
There were four flaws reported by Check Point to LinkedIn on June 14th and fixed just ten days later on June 24th.
The vulnerability was demonstrated by Check Point using the following examples, where an attacker could craft a:
- Malicious Power Shell script (PS1) and saves the script as a .pdf file.
- REG file which contains a malicious PowerShell script and disguise it as a .pdf file.
- Malicious XLSM file, embedded with Macro (scrambled VB script shell code), then disguised as an XLSX file.
- Malicious DOCX file containing an external object or OLE (taking advantage of CVE 2017-0199). This object can be linked to an HTA file on the attacker’s server.
Advanced threat protection against these and future zero-day threats are important controls organizations can consider to help remove and sanitize exploitable content (such as active content and embedded objects). Examples include SandBlast Threat Extraction, Symantec’s ATP and McAfee’s Advanced Threat Defense, to name just a few.
Also, check out this good article from Digital Guardian “Expert Tips for Protecting Your Organization Against Advanced Threats” that offers some good tips from 26 security pros on best approaches and solutions for advanced threat protection.