Slashdot Mirror
MS Excel exploit on auction
geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.
First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:
From the auction text: Second, two questions:
Discuss.
____
~ |rip/\/\aster /\/\onkey
eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently.
I too have felt the cold finger of injustice.
Now THAT'S capitalism!
(Or at least a good demonstration of Ferengi behavior...)
Can't think of a better way to get people to learn about/abuse an exploit than to draw massive attention to it by yanking the auction. Way to go, ebay!
so you're the seller?
I'll buy that one as soon as I buy the product which tells me how to remove all spyware by formatting my hard drive. It's only $7.95, and he sends the PDF file as soon as payment is recieved. Now if only I knew how to open a PDF file. :(
Maybe I'll search ebay, and someone can sell me a product which tells me how to open a PDF file. :) :)
But first, I need to bid on this guy who claims he can teach me how to get Plasma TV's for free from the manufacturers. He says in his ebay auction that manufacturers don't have enough people to test their product and they want me to help them!
Ebay is more good than bad, but how can these people sell garbage?
If the guy is selling information on how to exploit software, doesn't that violate the DCMA?
I guess I should not complain. Ebay is the only place I know of that has everything, the worlds largest flea market.
The seller openly taunts the software giant, poking fun at the company's delays in providing fixes for known security bugs. "It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product),"
Wait, so this is all just a taunt and not true?
Looking at the motivation this guy has, I can't really see how it can be good.
So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
This meets neither of those criteria.
- looking to make a profit from releasing details of a vulterability
- phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"
Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.
What a great guy.
Who is the bigger sucker?
t =b&na=88&View=en-us&qu=excel+crash
The people who bid on an exploit to make Excel crash? Or those who believed that this was a critical security flaw? Or Ebay for posting it in the first place?
If you really want to know how to make Excel crash, pick your poison - here is a free link:
http://search.microsoft.com/search/results.aspx?s
He who knows best knows how little he knows. - Thomas Jefferson
Why should not one be able to sell a vulnerability since they are in fact commodities?
If you can profit from making them, profit from dealing with them then why not profit by discovering them? There are precidents like this, the patent system has companies that hold patents for no other reason than to sue other companies when they trip on a patent.
All this will do is force the practice underground. Mind you, it does let the world know it is going on.
How would you go about setting the price of a security hole? What is the worth?
"By monetary value of what could be lost exploiting the hole", or something else? Estimation of possible gains (user data like credit card info) through usage of the hole - the perpetrators view?
Because, lets face it: There are people out there willing to pay for information like this.
(and I'm not saying its right - just stating the fact). There are also others wondering how some things come to pass, and the damage bad code review actually causes.
ok, sorry - possibly OT. But I *am* intrested in /. ers reasoning about "the value/possible cost of security holes".
"If it can be thought up, there exists at least one person trying to make it happen for real" - Phil
hmmm. it seems like the server is running excel...
hereis another article covering this...
People are already paying for vulnerabilities in Microsoft software. They get them as part of the purchase of software licenses. (Now, having actual KNOWLEDGE of such vulnerabilities is another matter I suppose...)
I dont think it was very irresponsible, maybe only a little, it just lights that fire under Microsoft to fix it. Considering my lack of using unkown excel files I'm not too worried about it. Like some other posts say, it brought much less attention to the exploit than e-bay pulling it did.
The exploit is: Press Alt-F4, click the "No" button if it asks if you want to save. Dude... everything they had in the sheet will be gone!!! Is that 133t or what?
"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."
-- Commissioner Pravin Lal
Real Daleks don't climb stairs - they level the building.
^_^
____
~ |rip/\/\aster /\/\onkey
and shame on the moderators as well. This is obviously either a publicity stunt or this guy is just
having some fun and saying fuck you M$ in a very public arena. Did you read this hilarious part?
Special offers:
Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.
parent says: phrasing the auction in a way that makes it clear he wants the buyer to do something bad
No, specifically forbidden by auction text, with no winks or smilies or anything ironic.
Your bid indicates that you agree to the following:
1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
research purposes only.
2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
3. The seller will accept no responsibility for anything you do with this information.
4. The seller cannot be held liable under any circumstances.
5. Absolutely no refunds will be provided except for the reason mentioned above.
Parent says: Looking at the motivation this guy has, I can't really see how it can be good.
It calls to attention that a critical vulnerability will go unpatched for months after it has been properly disclosed. That is the way that it can be good.
music lover since 1969
The auction was canceled and I was the high bidder too!
Here's a mirror of the auction.
Joel
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
It seems to me that E-Bay are behaving somewhat unfairly in pulling this auction. The seller has clearly devoted some time and effort into discovering this piece of information and has behaved responsibly by informing Microsoft of the problem in their software.
I see no reason why he shouldn't be compensated for the work he's done here and if Microsoft aren't paying him then it's only fair that he offers his work to the highest bidder, it's perhaps unfortunate for Microsoft that he can leverage the most value for his work before they have had a chance to patch the problem but the seller doesn't have any obligation to Microsoft and their problems are no concern of his.
From the auction: Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout
:¦:-:*'""*:.-:¦:-*Super EBuyer!!*-:¦:-:*'''''*:-:¦:-*Thanks BillyG1955!!*-:¦
I was reading through ebay T&C, because the article made me curious.
I, for one, am very disappointed that I cannot list a prohibited country for sale:
Imagine that.
http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeed back&userid=fearwall
:)
Looks like the seller just bought a keystroke logger....
ebay loves to stop any auction once someone doesnt agree with it. He should have been able to sell the information, microsoft was notified of the issue. Better yet, maybe he should have just put the whole exploit in the auction for everyone to read!
This could be the start of a good way to embarrass companies into fixing bugs AND punishing bad people. Evil person wants to use the exploit, so they bid. Microsoft don't want the exploit usable, so they fix it (run with me on this one for a moment) The clever bit is, the Seller (who is honest, intelligent and socially responsible) sets the auction expiry time far enough into the future to cause a race between the two. M$ are put on public notice when the exploit becomes usable. If they win the race, Evil Person has to pay for no benefit (or M$ would give them a bad ebay rating - that'd hurt, right?). If they lose the race, public humiliation ensues. This is sort of like the Bounty system, in reverse. Or just plain blackmail. Either way, it would be fun to watch.
I'm pretty sure it was meant as a joke, he just took a chance to jab at MS. Don't take it too seriously. After all, he only wanted 1 cent for it.
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
What's the difference? They're both fun to put your mouth on but all the noise they make is boring.
Well, except for Miles but he's dead. His trumpet I mean.
Even Maynerd Furgeson is getting old. In more ways than one.
My work here is dung.
So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production? How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security? How about the security codes to your house alarm?
Supression of information is a necessary fact of life in a world where information can be used to harm others.
This does not justify supression of any information a goverment feels like supressing. Each case must be examined carefully, but to say that there is never a justifiable reason to supress information is dangerous and clearly at odds with reality.
...excell sells YOUR vulnerabilities on Ebay!
A security hole would gets its value from the attached object. A how-to on bypassing shed locks is less value then a how-to on bypassing a bank safe.
Next would come how easy it is to exploit the security hole. This one seems to require people to open an excell sheet. This obviously makes it off lesser value then say an exploit that works when a user opens a gif file via IE. Even more valauble would be an exploit that does not require the user to do anything but can attack any computer just hooked up to the net.
Would there be money in it? You bet. Once you got an exploit using it to install a botnet is childsplay and botnets are big business. If you can deliver a 10.000 zombie network there are people willing to pay you hard cash in exchange. Even for just renting it.
However you would hardly do this over e-bay. There are very few legit uses for a botnet and therefore your potential customers would prefer a less public way of trading it.
But it does happen. It is one of the reasons we see so few destructive virusses vs the ones that turn a pc into a zombie. Used to be different. Once the majority of virusses either joked or destroyed your machine. Now you just got a zombie. Do I have proof?
No of course not. Just stories tall tales from the server room and hints that should a company that hosts pay sites wish to do some advertising that they might know ways that do not involve constantly trying to find the next provider willing to be placed on a ban list for spam.
Spam sells, ISP's are unwilling to hosts spammers, so the only question is, will spammers pay for a botnet that can do their spamming. Does the pope shit in the woods?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
eBay has no obligation to list anything in particuar. It is in their best intrests to list most auctions without objection since the more that sells the more money they make, but there's no obligation. If eBay management decided that they wanted to ban selling of all religious items or something, they'd be well within their rights.
Now if I worked for eBay and was the guy with his finger on the button, so to speak, for canceling autions, I'd pull this. Why? Well simple cost-benefit analysis:
It's entirely possible, even likely, this guy is lying (I'm talking from their perspective, pre MS announcement) and thus we'll just get invloved with having to refund someone's money in the end. But let's assume he's telling the truth. In that case we would be on the hook for a ton of bad publicity since no doubt the press would eat up the story of eBay welling hacking instructions, and we might even be civily or criminaly liable for knowingly allowing this to go on. Now weigh that against the 2% or so we'd make from the final sale, maybe a few hundred at most if the auction gets bid way up. Not even a blid on our balance sheet. Thus, we cancel the auction.
eBay's a business, pure and simple. They'll let you sell whatever you want (for a cut) unless they feel what you are selling might cause them trouble. That's why they ban some entire classes of items, like firearms. It's not illegal to sell firearms on the Internet, and there are sites that do it. However it's trickey, since they have to be shipped to a licensed dealer and so on. It exposes you to a lot more liability, liability eBay doesn't want, so they just outright ban them.
******SPECIAL******
For a Limited Time
get a CD with instructions on how to make Excel Crash!!!!
Starting bid $1
[text size="fine print"]only $59.95 for S/H[/text]
I understand why they pulled it. Think about it...you've managed to collect about 10 people with a lot of money and bad reputations, along with about 10 people with a lot of money and a lot to loose to the people with the bad reputations. They're all there and you offer for auction the world's best superweapon. We'll call it a frickin' laser for the sake of argument. So you start bidding on the frickin' laser at $.01 and somebody dishonest makes an offer. This is immediately followed by another dishonest guy who wants it for himself, then an honest guy that doesn't want either of them to have it, then by another honest guy that doesn't know guy 3 was, in fact, honest and is just trying to save his own hide. Who's going to win? Well, it'll be the guy with the most chips to bet, but everyone's going to be on pins and needles to see which side of the fence he's on. It's basically holding all 20 people hostage to themeslves and seeing what shakes out. Pretty slick marketing if you think about it.
Jester
Warning: This sig may be legally binding in England.
I thought M$ bugs were a dime a dozen.
-SHP
Hunting stores sells lots of guns and knives all the time, and if someone buys one of these and kills someone else the hunting store is not to blame. Just as this guy should not be blamed it his sale had lead to a misuse of the exploit.
Just watch Security Focus or FRsirt for all your 0-day MS exploit needs.
Blame the user, not the software.
This stunt just reflects poorly on security researchers. Yes it sucks that MS is slow to respond, but threatening to sell the exploit to the highest bidder doesn't help. It just comes off as extortion or aiding virus writers.
When MS called EBay to tell them to take down the auction, it probably sounded like this BOFH quote:
"Two seconds later the red phone goes. I pick it up, it's the boss. He mumbles the username of the person I was just talking to, mentions something about a nasty mail message, and utters the words "You know what to do...", with the dots and everything."
--Acercanto
You can have only two of the following three qualities when developing a product: cheap, fast or good.
Exactly. From the Microsoft viewpoint, trying to secure anything without their permission or use of another one of their products is criminal.
Stop questioning Microsoft you criminal!
Get your Unix fortune now!
http://www.starwars.com/databank/starship/tradefe
Weapons:
14 quad turbolaser turrets;
34 dual laser cannons;
2 ion cannons;
12 point-defense ion cannons;
102 proton torpedo tubes
[Fuck Beta]
o0t!
There is a followup on ebay!
Daniel Rovaniemi
hostmaster@fjupp.com
what's the point of the new auction? to see if the geniuses at eBay pull it?
Companies operate with constrained resources in order to generate a profit. While developing a product a company only experiences cost, no income. After the selling starts a company receives income that slowly covers development cost until it breaks even. After break even, additional sales generate profit. After sales start any maintenance work reduces profit.
Why do I talk about what everyone already knows? A company like microsoft must decide for themselves how to use their limited resources. They decide how serious a bug is by looking at the urgency, and seriousness vs reduced profits. They make a decision based on their own interest. By putting an exploit on ebay, the cost and seriousness of the bug is not decided merely by microsoft, but by the market.
If MS thinks its irrelevant, they need not do anything. If they think its serious, they will have the choice of either fixing it until the auction ends, or bidding to prevent disclosure. Third parties interested in security will also have a chance to bid, however they must realise that their purchase may soon loose value if a fix is provided.
Overall I think its a good idea - in the best case it encourages a faster fixing of issues.
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item =6588680836
Apparently he is a researcher that was looking to find the true market value for an exploit by selling it on ebay. Was gonna write a paper.
Joel
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
...what's to stop any random idiot from claiming your auction is violating something or other and telling eBay to pull your auction? Case in point: some organization calling itself "SIIA (The Software & Information Industry Association)" has pulled my wife's auction of a set of Kaplan USMLE study books...wait for it...which she bought on eBay. Lots of other auctions for the exact same items stay on and go through to completion. Sounds like someone doesn't like competition and knows how to game the system.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt