Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Excel exploit on auction

Posted by Hemos on from the brave-new-world dept.

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

4 of 179 comments (clear)

  1. What was the grounds for pulling the auction? by Ph33r+th3+g(O)at · · Score: 5, Insightful

    eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently.

    --
    I too have felt the cold finger of injustice.
  2. Bad auction by mrRay720 · · Score: 5, Insightful

    Looking at the motivation this guy has, I can't really see how it can be good.

    So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
    This meets neither of those criteria.

    - looking to make a profit from releasing details of a vulterability
    - phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"

    Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.

    What a great guy.

  3. Re:More information and a few questions: by Ph33r+th3+g(O)at · · Score: 5, Insightful

    You mean a security researcher or corporate security officer couldn't have used that information? People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.

    --
    I too have felt the cold finger of injustice.
  4. Re:More information and a few questions: by RaymondInFinland · · Score: 5, Insightful

    No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
    What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.

    EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
    So vulnerabilities are now illegal material? Better call the cops and the feds to shut down Microsoft because they seem to be producing a lot of them.

    This is not 'full disclosure', its selling information to the criminals.
    Wouldn't that depend of the person who would have won the auction? See also point 1).