MS Excel exploit on auction

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

More information and a few questions:

[TripMaster+Monkey]

First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:

• The actual article on SecurityFocus (not the abbreviated discussion article referenced in TFS).
  
• The full text of the auction, courtesy of the good folks at the OSVDB blog.
  
• The screenie of the actual eBay auction, again courtesy of OSVDB.

From the auction text:

The lot: One 0-day Microsoft Excel Vulnerability

Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

A percentage of this sale will be contributed to various open-source projects.

Second, two questions:

1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
   
2. Exactly which eBay rule did this auction break?

Discuss.

Re:More information and a few questions:

[sh00z]

2. Exactly which eBay rule did this auction break?

Probably the restriction on downloadable media, because the seller stated intent to e-mail the file, but did not explicitly state that he is the copyright owner of the electronic file(s) for sale. It seems that M$ would have had a court injunciton to prove criminal intent.

Re:More information and a few questions:

[TripMaster+Monkey]

No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

So you're asserting that a security professional could not use the information to create a patch or fix for this vulnerability?

EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

I'm having a hard time finding the exact violation on eBay's prohibited and restricted items page. Think you could point it out for me?

Re:More information and a few questions:

[Alsee]

The -selling- of vulnerabilities in software is criminal activity any way you shake it.

Ah yes, and a reporter who writes an exposè on rotten airport security and SELLS it to the New York Times is criminal activity any way you shake it.

You have a a bizzare definition of "criminal" and "illegal", and you have no grasp of law. The law does NOT equal "I don't like it".

By the way, if anyone wants to make Nitroglycerine here's how...
Ingredients:
Glycerine
Concentrated sulphuric acid
Concentrated nitric acid

Glycerine can be bought off the shelf at your local drugstore. Sulphuric acid is better known as car battery acid, though you would need to distill ordinary car batter acid to higher concentration. Nicrtic acid is a bit harder to come across, but it's not that hard to make. Nitric acid is the primary component of ordinary acid rain.

Simply mix the three ingredients VERY SLOWLY, over an ICE BATH.
Waring - this reaction produces heat. Hot nitroglycerine is very very bad. It tends to go BOOM. Mix it as slowly as possible, and keep it as ice-cold as possible.

After mixing, and assuming you haven't killed yourself in the process, there will be an oily brown liquid floating on top. This oily brown liquid is nitroglycerine.

Undoubtedly you think that I should not have posed that information. *YOU* apparantly think that was illegal, and that I am a criminal for doing so. And you'd apparently also think it illegal for me to SELL that recipe on e-Bay.

However You Are Wrong.
In fact (assuming we are discussing American law) it would be UNCONSTITUTIONAL for you to attempt to create a law against it. I invite you to read this Unityed Stated Department of Justice report to the Senate. The Senate asked for a report on the constitutionality and limits of their ability to create a law restriction bomb making information. The DOJ explain that such a law would be a violation of the First Amendment. That publishing such information CANNOT be illegal in the US. The limits of what can be criminalized is basically (1) acting with EXPLICIT INTENT to cause a crime to occurr, or (2) aiding and abbetting someone with EXPLICIT KNOWLEDGE that you are aiding and abbetting a crime.

I assume the guy was actually selling the info on how to exploit, therefore putting valid users and companies at risk....hmm...kinda sounds a tad bit little illegal to me

I just published nitroglycerine making information. It is, in your words, "therefore putting valid users and companies at risk". It is not illegal and CANNOT be illegal in the US. I have no intent for anyone to commit a crime with that information. No one has asked me to supply it to them for the purpose of committing a crime.

Why should an admin have to -pay- for the information? ...sounds kinda like blackmail in a sense.

Blackmail is when you THREATEN someone.

If I created a copyrighted work, one that happens to teach this information, you certainly cannot require me to give it to anyone for free. I have every right to remain silent and tell no one. If somebody wants me to teach them this information, then I can every right to ask for money before I sell them a copy of the instructional text I created.

One would presume that Microsoft will... sooner or later... publish this information itself. If you want to wait for that then you can get the information free then. How about you bitch at Microsoft for not giving anyone this info for free now?

If you want this info now, and if Microsoft refuses to give it to you, this guy is offering to give you a copy now. You apparently want this info. You apparently consider it valuable. If you want this guy to do work and send it to you then you have the choice of paying for it. Or not.

So yes, eBay did the right thing here, imo.

If you mean in terms of avoiding the hassle and expense of

Who is the bigger sucker here?

[digitaldc]

Who is the bigger sucker?

The people who bid on an exploit to make Excel crash? Or those who believed that this was a critical security flaw? Or Ebay for posting it in the first place?

If you really want to know how to make Excel crash, pick your poison - here is a free link:
http://search.microsoft.com/search/results.aspx?st =b&na=88&View=en-us&qu=excel+crash

Censorship?

[canuck57]

...meantime the original listing on eBay has been pulled.

Why should not one be able to sell a vulnerability since they are in fact commodities?

If you can profit from making them, profit from dealing with them then why not profit by discovering them? There are precidents like this, the patent system has companies that hold patents for no other reason than to sue other companies when they trip on a patent.

All this will do is force the practice underground. Mind you, it does let the world know it is going on.

Pricing?

[DynamicPhil]

Actually, a much more intresting dussion is the:

How would you go about setting the price of a security hole? What is the worth?

"By monetary value of what could be lost exploiting the hole", or something else? Estimation of possible gains (user data like credit card info) through usage of the hole - the perpetrators view?

Because, lets face it: There are people out there willing to pay for information like this.
(and I'm not saying its right - just stating the fact). There are also others wondering how some things come to pass, and the damage bad code review actually causes.

ok, sorry - possibly OT. But I *am* intrested in /. ers reasoning about "the value/possible cost of security holes".

seller's feedback list

[bach37]

http://feedback.ebay.com/ws/eBayISAPI.dll?ViewFeed back&userid=fearwall

Looks like the seller just bought a keystroke logger.... :)

This could be a good way to set time limits?

[rianman]

This could be the start of a good way to embarrass companies into fixing bugs AND punishing bad people. Evil person wants to use the exploit, so they bid. Microsoft don't want the exploit usable, so they fix it (run with me on this one for a moment) The clever bit is, the Seller (who is honest, intelligent and socially responsible) sets the auction expiry time far enough into the future to cause a race between the two. M$ are put on public notice when the exploit becomes usable. If they win the race, Evil Person has to pay for no benefit (or M$ would give them a bad ebay rating - that'd hurt, right?). If they lose the race, public humiliation ensues. This is sort of like the Bounty system, in reverse. Or just plain blackmail. Either way, it would be fun to watch.

Supression of information is a necessary

[ThinkFr33ly]

So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production? How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security? How about the security codes to your house alarm?

Supression of information is a necessary fact of life in a world where information can be used to harm others.

This does not justify supression of any information a goverment feels like supressing. Each case must be examined carefully, but to say that there is never a justifiable reason to supress information is dangerous and clearly at odds with reality.

Re:Supression of information is a necessary

[Ph33r+th3+g(O)at]

In the first case, yes. In fact, that right has already been upheld and Esquire (IIRC) published an article that describes how to make a nuclear weapon. In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to, and that's not a valid comparison. I find it ironic that someone with the name "think freely" would argue in favor of suppression of information.

Re:Supression of information is a necessary

[aitikin]

Big difference. If I gave out my security code to people, accidentally or purposefully, it would be my fault that my house was broken into. If the company has a flaw with their security system, it's their fault that my house is broken into. If it's public knowledge that there is this security flaw, I could possibly keep it from occuring in my house as well as complain to the company to try to get it fixed.

Well alright lets run with this idea

[SmallFurryCreature]

A security hole on its own has zero value. Take for instance those 1 dollar number locks you can get for your luggage. I can tell you how to break them but big deal. Not because a wire cutter will also work (that would leave evidence that the lock has been broken) but because the attached value is to small.

A security hole would gets its value from the attached object. A how-to on bypassing shed locks is less value then a how-to on bypassing a bank safe.

Next would come how easy it is to exploit the security hole. This one seems to require people to open an excell sheet. This obviously makes it off lesser value then say an exploit that works when a user opens a gif file via IE. Even more valauble would be an exploit that does not require the user to do anything but can attack any computer just hooked up to the net.

Would there be money in it? You bet. Once you got an exploit using it to install a botnet is childsplay and botnets are big business. If you can deliver a 10.000 zombie network there are people willing to pay you hard cash in exchange. Even for just renting it.

However you would hardly do this over e-bay. There are very few legit uses for a botnet and therefore your potential customers would prefer a less public way of trading it.

But it does happen. It is one of the reasons we see so few destructive virusses vs the ones that turn a pc into a zombie. Used to be different. Once the majority of virusses either joked or destroyed your machine. Now you just got a zombie. Do I have proof?

No of course not. Just stories tall tales from the server room and hints that should a company that hosts pay sites wish to do some advertising that they might know ways that do not involve constantly trying to find the next provider willing to be placed on a ban list for spam.

Spam sells, ISP's are unwilling to hosts spammers, so the only question is, will spammers pay for a botnet that can do their spamming. Does the pope shit in the woods?

He is not to blame

[lhommemagique]

Hunting stores sells lots of guns and knives all the time, and if someone buys one of these and kills someone else the hunting store is not to blame. Just as this guy should not be blamed it his sale had lead to a misuse of the exploit.

Re:Heh

[sbrown123]

Your right. We should just cover these things up like stinky poo and ignore that they exist. That will make them go away!