Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Excel exploit on auction

Posted by Hemos on from the brave-new-world dept.

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

5 of 179 comments (clear)

  1. More information and a few questions: by TripMaster+Monkey · · Score: 5, Interesting

    First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:
    • The actual article on SecurityFocus (not the abbreviated discussion article referenced in TFS).
    • The full text of the auction, courtesy of the good folks at the OSVDB blog.
    • The screenie of the actual eBay auction, again courtesy of OSVDB.

    From the auction text:
    The lot: One 0-day Microsoft Excel Vulnerability

    Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

    A percentage of this sale will be contributed to various open-source projects.
    Second, two questions:
    1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
    2. Exactly which eBay rule did this auction break?


    Discuss.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:More information and a few questions: by sh00z · · Score: 5, Interesting
      2. Exactly which eBay rule did this auction break?
      Probably the restriction on downloadable media, because the seller stated intent to e-mail the file, but did not explicitly state that he is the copyright owner of the electronic file(s) for sale. It seems that M$ would have had a court injunciton to prove criminal intent.
  2. Who is the bigger sucker here? by digitaldc · · Score: 3, Interesting

    Who is the bigger sucker?

    The people who bid on an exploit to make Excel crash? Or those who believed that this was a critical security flaw? Or Ebay for posting it in the first place?

    If you really want to know how to make Excel crash, pick your poison - here is a free link:
    http://search.microsoft.com/search/results.aspx?st =b&na=88&View=en-us&qu=excel+crash

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  3. Well alright lets run with this idea by SmallFurryCreature · · Score: 3, Interesting
    A security hole on its own has zero value. Take for instance those 1 dollar number locks you can get for your luggage. I can tell you how to break them but big deal. Not because a wire cutter will also work (that would leave evidence that the lock has been broken) but because the attached value is to small.

    A security hole would gets its value from the attached object. A how-to on bypassing shed locks is less value then a how-to on bypassing a bank safe.

    Next would come how easy it is to exploit the security hole. This one seems to require people to open an excell sheet. This obviously makes it off lesser value then say an exploit that works when a user opens a gif file via IE. Even more valauble would be an exploit that does not require the user to do anything but can attack any computer just hooked up to the net.

    Would there be money in it? You bet. Once you got an exploit using it to install a botnet is childsplay and botnets are big business. If you can deliver a 10.000 zombie network there are people willing to pay you hard cash in exchange. Even for just renting it.

    However you would hardly do this over e-bay. There are very few legit uses for a botnet and therefore your potential customers would prefer a less public way of trading it.

    But it does happen. It is one of the reasons we see so few destructive virusses vs the ones that turn a pc into a zombie. Used to be different. Once the majority of virusses either joked or destroyed your machine. Now you just got a zombie. Do I have proof?

    No of course not. Just stories tall tales from the server room and hints that should a company that hosts pay sites wish to do some advertising that they might know ways that do not involve constantly trying to find the next provider willing to be placed on a ban list for spam.

    Spam sells, ISP's are unwilling to hosts spammers, so the only question is, will spammers pay for a botnet that can do their spamming. Does the pope shit in the woods?

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  4. Re:Supression of information is a necessary by Ph33r+th3+g(O)at · · Score: 4, Interesting

    In the first case, yes. In fact, that right has already been upheld and Esquire (IIRC) published an article that describes how to make a nuclear weapon. In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to, and that's not a valid comparison. I find it ironic that someone with the name "think freely" would argue in favor of suppression of information.

    --
    I too have felt the cold finger of injustice.