MS Excel exploit on auction

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

What was the grounds for pulling the auction?

[Ph33r+th3+g(O)at]

eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently.

Re:What was the grounds for pulling the auction?

[mrRay720]

----
eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently
----

I don't see anything wrong in charging a nominal fee for redistributing public domain work. It's not as if it's not still free somewhere else, it just saves you the effort of going out and rounding it up yourself. In a world of 'money first', allowing this can only help that little bit extra to keep said work alive. How is this different to the books of Dickens still being printed and charged for? The words themselves are free now, but you're paying for them to be wrapped up in a little paper package for you.

Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.

Quite how either of those are like someone trying to make a profit from selling info of a vulnerability potentionally harming millions to a virus writer is beyond me though.

One is making a bit of money (indirectly) helping to keep public domain work alive, the other is trying to profit from the harm of others.

Re:What was the grounds for pulling the auction?

[ultranova]

Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.

No they don't. The naive and/or stupid don't deserve to get ripped off any more than old people deserve to get their hipbones broken, or people who don't do martial arts deserve to get beaten up by muggers. These all happen, but they are not right, just nor the way things should be. That someone is weak is not sufficient justification for others to prey on him.

I really hate this callous attitude of "If someone can't protect themselves, they deserve to have bad things happen to them, especially if it helps someone else to line their pockets". Especially since the people saying so are the first ones to complain when a bigger bastard, be it government or big business, makes them the ones who get ripped off.

I guess it is fashionable today to preach about "personal responsibility" and pervert that to mean an attitude of utter pitilessness towards other human beings. Notice how these people are talking about others personal responsibility as an excuse for their heartlessness. They demand that their property is protected by law, but when that same law is used to provide food and shelter to other human beings - indeed, as soon as they are not the ones getting the benefits - these people start to loudly complain about "nanny state", "communism" or other similar things.

Sorry for the offtopic rant, but I'm just so sick of this nonsense.

Bad auction

[mrRay720]

Looking at the motivation this guy has, I can't really see how it can be good.

So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
This meets neither of those criteria.

- looking to make a profit from releasing details of a vulterability
- phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"

Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.

What a great guy.

Re:Bad auction

[fufinache]

I think the the seller was trying to get microsoft's patch team into 2nd gear. It sounds like he just thought that making a bit of money out of it would be a side effect for him (look at the original posting price, 1 cent is hardly any profit).

Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.

Does that mean that if most of the parents in the world (say 80%) never used curse words, that their children will never swear? As long the remaining 20% parents are swearing, all the kids will eventually learn. I can think of 2 ways of solving such problem, either you fix the root of the problem (not the messenger) or you educate others on problem and how they can avoid it themselves.

That was LESS THAN A WEEK AGO

It's called responsibility, it comes with life, tasks that are seemingly impossible with very tight deadlines will pop up, and you will have to do them. Stop complaining and get back to work.

I believe what he's done is rather smart; microsoft had a week to fix the hole (which is what they should be doing) + they could always bid on the auction themselves to keep the seller's mouth shut if they need the more time and hire more employees.

Re:More information and a few questions:

[Zeinfeld]

As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?

No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

This is not 'full disclosure', its selling information to the criminals.

Re:You can buy anything on Ebay

[xoip]

Ebay is more good than bad, but how can these people sell garbage?
One man's Garbage is Anothers Gold.

Re:More information and a few questions:

[Ph33r+th3+g(O)at]

You mean a security researcher or corporate security officer couldn't have used that information? People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.

Fire under microsoft

[muindaur]

I dont think it was very irresponsible, maybe only a little, it just lights that fire under Microsoft to fix it. Considering my lack of using unkown excel files I'm not too worried about it. Like some other posts say, it brought much less attention to the exploit than e-bay pulling it did.

Re:More information and a few questions:

[RaymondInFinland]

No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.

EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
So vulnerabilities are now illegal material? Better call the cops and the feds to shut down Microsoft because they seem to be producing a lot of them.

This is not 'full disclosure', its selling information to the criminals.
Wouldn't that depend of the person who would have won the auction? See also point 1).

Re:Who is the bigger sucker here?

[porkThreeWays]

The bug is believe to be a buffer overflow. This makes it a perfect canidate to execute malicious code within excel. Imagine being able to send an excel file to another company you don't think is being truthful with you and r00ting some of their boxen. You could pretty much spy on them all day without antivirus or antispyware picking you up. Imagine sending the excel file to a game developer and stealing source code for an upcoming game *hint* *hint*. 0-day exploits and unknown exploits are a serious problem because most companies think they are safe with anti-virus. Anti-virus supplies little/no protection against these kinds of attacks.

Re:More information and a few questions:

[Orgazmus]

Hopefully this one. It will be a good lession in not shitting in your own nest.
Let the revolution begin, i say.

obAlphaCentauriQuote

[meringuoid]

People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.

"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting its grip on public discourse has begun its rapid slide into despotism. Beware of he who would deny you access to information, for in his heart he dreams himself your master."

-- Commissioner Pravin Lal

Re:More information and a few questions:

[krgallagher]

"This is not 'full disclosure', its selling information to the criminals."

Cosidering that the opening bid was set at $0.01, I doubt he really expected to profit. Instead he probably just wanted to call public attention to the exploit and force Microsoft to address it quickly.

A honest days pay for an honest days work

[CmdrGravy]

It seems to me that E-Bay are behaving somewhat unfairly in pulling this auction. The seller has clearly devoted some time and effort into discovering this piece of information and has behaved responsibly by informing Microsoft of the problem in their software.

I see no reason why he shouldn't be compensated for the work he's done here and if Microsoft aren't paying him then it's only fair that he offers his work to the highest bidder, it's perhaps unfortunate for Microsoft that he can leverage the most value for his work before they have had a chance to patch the problem but the seller doesn't have any obligation to Microsoft and their problems are no concern of his.

I Think it's Pretty Funny

[kadathseeker]

I'm pretty sure it was meant as a joke, he just took a chance to jab at MS. Don't take it too seriously. After all, he only wanted 1 cent for it.

Re:Supression of information is a necessary

So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production?

Various law enforcement agencies would find the contact info useful...

How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security?

I'd rather have leaked codes public and changed then known in a limited group (same for any other "secret" codes.) Anyway, I hope you need physical access to make use of them...

It broke the "ebay doesn't like it" rule

[Sycraft-fu]

eBay has no obligation to list anything in particuar. It is in their best intrests to list most auctions without objection since the more that sells the more money they make, but there's no obligation. If eBay management decided that they wanted to ban selling of all religious items or something, they'd be well within their rights.

Now if I worked for eBay and was the guy with his finger on the button, so to speak, for canceling autions, I'd pull this. Why? Well simple cost-benefit analysis:

It's entirely possible, even likely, this guy is lying (I'm talking from their perspective, pre MS announcement) and thus we'll just get invloved with having to refund someone's money in the end. But let's assume he's telling the truth. In that case we would be on the hook for a ton of bad publicity since no doubt the press would eat up the story of eBay welling hacking instructions, and we might even be civily or criminaly liable for knowingly allowing this to go on. Now weigh that against the 2% or so we'd make from the final sale, maybe a few hundred at most if the auction gets bid way up. Not even a blid on our balance sheet. Thus, we cancel the auction.

eBay's a business, pure and simple. They'll let you sell whatever you want (for a cut) unless they feel what you are selling might cause them trouble. That's why they ban some entire classes of items, like firearms. It's not illegal to sell firearms on the Internet, and there are sites that do it. However it's trickey, since they have to be shipped to a licensed dealer and so on. It exposes you to a lot more liability, liability eBay doesn't want, so they just outright ban them.

Re:Supression of information is a necessary

[ThinkFr33ly]

Do you think that realistically, Microsoft could not release a patch for this in the 7 day timeframe of the original auction?

Are you kidding? Of course not. Excel is used by MILLIONS of people and the testing that needs to go into any kind of patch takes a weeee bit longer than 7 days.

In addition, we have no idea of the implementation details of the patch. Perhaps the offending code actually lives in a system library. This further adds to the time it takes to implement and test a patch.

This guy put the exploit on eBay for purely egotistical reasons... and perhaps some greed. It had nothing to due with holding Microsoft accountable, and even if it did it would be questionable at best.

Re:Supression of information is a necessary

[arkanes]

Besides the other replies, most of which are reasonable, you're drawing an apples and oranges comparison. The security code is the secret. The method by which you obtained it is the flaw. Disclosure of the flaw is reasonable. Disclosure of the secret (usually) is not. Disclosure should also be to affected parties - if you know your neighbors code because the keypad is visible from the street, then you should tell him that. There's no special need to publish that widely, because only your neighbor is affected.

On the other hand, if you know the code because theres a flaw in the system, it's reasonable to distribute that widely, so that it reaches all the customers involved - assuming that the company doesn't take reasonable steps itself. I know theres a common thought that you shouldn't take action into your own hands just because the company doesn't respond to your satisfaction, but on the other hand it's demonstrably true that many companies are much more interested in maintaining a pretense of security than real security, and they rarely have customers best interests at heart.

Re:More information and a few questions:

[StikyPad]

Except those issues are completely devoid of relevance. This isn't the Supreme Court deciding whether the auction should be legal because of "substantial noninfringing uses." This is solely an incident of a private entity deciding not to do business with another private entity. eBay is entitled to deny any listing for any reason it chooses, and the only measure of whether that decision was right or wrong is whether or not it protects eBay's interests. The only justification they need is that they didn't like the listing, and the only possible repercussions are the possible alienation of the massive vulnerability-purchasing demographic.

On the other hand, they could have let the listing stand and exposed themselves to possible private or public legal action, tarnished their public image, and further encouraged people to test the proverbial waters with equally or exceedingly unconventional listings.

But the good news, if you believe that eBay is eschewing a substantial opportunity, is that you have the chance to step in and serve the exploding market for software vulnerabilities by creating your own auction site. Maybe you'll get rich, or maybe you'll get sued so hard by Microsoft that you can't walk straight for weeks.. there's only one way to find out!