Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Excel exploit on auction

Posted by Hemos on from the brave-new-world dept.

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

17 of 179 comments (clear)

  1. More information and a few questions: by TripMaster+Monkey · · Score: 5, Interesting

    First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:
    • The actual article on SecurityFocus (not the abbreviated discussion article referenced in TFS).
    • The full text of the auction, courtesy of the good folks at the OSVDB blog.
    • The screenie of the actual eBay auction, again courtesy of OSVDB.

    From the auction text:
    The lot: One 0-day Microsoft Excel Vulnerability

    Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

    A percentage of this sale will be contributed to various open-source projects.
    Second, two questions:
    1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
    2. Exactly which eBay rule did this auction break?


    Discuss.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:More information and a few questions: by generic-man · · Score: 5, Funny

      The seller violated eBay's policy of Don't Fuck With Microsoft.

      --
      For more information, click here.
    2. Re:More information and a few questions: by Zeinfeld · · Score: 4, Insightful
      As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?

      No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

      EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

      This is not 'full disclosure', its selling information to the criminals.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    3. Re:More information and a few questions: by Ph33r+th3+g(O)at · · Score: 5, Insightful

      You mean a security researcher or corporate security officer couldn't have used that information? People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.

      --
      I too have felt the cold finger of injustice.
    4. Re:More information and a few questions: by sh00z · · Score: 5, Interesting
      2. Exactly which eBay rule did this auction break?
      Probably the restriction on downloadable media, because the seller stated intent to e-mail the file, but did not explicitly state that he is the copyright owner of the electronic file(s) for sale. It seems that M$ would have had a court injunciton to prove criminal intent.
    5. Re:More information and a few questions: by RaymondInFinland · · Score: 5, Insightful

      No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
      What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.

      EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
      So vulnerabilities are now illegal material? Better call the cops and the feds to shut down Microsoft because they seem to be producing a lot of them.

      This is not 'full disclosure', its selling information to the criminals.
      Wouldn't that depend of the person who would have won the auction? See also point 1).

    6. Re:More information and a few questions: by krgallagher · · Score: 4, Insightful
      "This is not 'full disclosure', its selling information to the criminals."

      Cosidering that the opening bid was set at $0.01, I doubt he really expected to profit. Instead he probably just wanted to call public attention to the exploit and force Microsoft to address it quickly.

      --

      Insert Generic Sig Here:

  2. What was the grounds for pulling the auction? by Ph33r+th3+g(O)at · · Score: 5, Insightful

    eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently.

    --
    I too have felt the cold finger of injustice.
    1. Re:What was the grounds for pulling the auction? by ultranova · · Score: 4, Insightful

      Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.

      No they don't. The naive and/or stupid don't deserve to get ripped off any more than old people deserve to get their hipbones broken, or people who don't do martial arts deserve to get beaten up by muggers. These all happen, but they are not right, just nor the way things should be. That someone is weak is not sufficient justification for others to prey on him.

      I really hate this callous attitude of "If someone can't protect themselves, they deserve to have bad things happen to them, especially if it helps someone else to line their pockets". Especially since the people saying so are the first ones to complain when a bigger bastard, be it government or big business, makes them the ones who get ripped off.

      I guess it is fashionable today to preach about "personal responsibility" and pervert that to mean an attitude of utter pitilessness towards other human beings. Notice how these people are talking about others personal responsibility as an excuse for their heartlessness. They demand that their property is protected by law, but when that same law is used to provide food and shelter to other human beings - indeed, as soon as they are not the ones getting the benefits - these people start to loudly complain about "nanny state", "communism" or other similar things.

      Sorry for the offtopic rant, but I'm just so sick of this nonsense.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  3. Heh... by the_skywise · · Score: 5, Funny

    Now THAT'S capitalism!

    (Or at least a good demonstration of Ferengi behavior...)

  4. You can buy anything on Ebay by ATeamMrT · · Score: 4, Funny
    Someone had put up for auction on eBay the details of an exploit in Microsoft Excel

    I'll buy that one as soon as I buy the product which tells me how to remove all spyware by formatting my hard drive. It's only $7.95, and he sends the PDF file as soon as payment is recieved. Now if only I knew how to open a PDF file. :(

    Maybe I'll search ebay, and someone can sell me a product which tells me how to open a PDF file. :) :)

    But first, I need to bid on this guy who claims he can teach me how to get Plasma TV's for free from the manufacturers. He says in his ebay auction that manufacturers don't have enough people to test their product and they want me to help them!

    Ebay is more good than bad, but how can these people sell garbage?

    If the guy is selling information on how to exploit software, doesn't that violate the DCMA?

    I guess I should not complain. Ebay is the only place I know of that has everything, the worlds largest flea market.

  5. Bad auction by mrRay720 · · Score: 5, Insightful

    Looking at the motivation this guy has, I can't really see how it can be good.

    So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
    This meets neither of those criteria.

    - looking to make a profit from releasing details of a vulterability
    - phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"

    Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.

    What a great guy.

  6. I Don't think you read the RTFA by djdavetrouble · · Score: 5, Informative

    and shame on the moderators as well. This is obviously either a publicity stunt or this guy is just
    having some fun and saying fuck you M$ in a very public arena. Did you read this hilarious part?

    Special offers:
    Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.

    parent says: phrasing the auction in a way that makes it clear he wants the buyer to do something bad

    No, specifically forbidden by auction text, with no winks or smilies or anything ironic.
    Your bid indicates that you agree to the following:
    1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
    research purposes only.
    2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
    3. The seller will accept no responsibility for anything you do with this information.
    4. The seller cannot be held liable under any circumstances.
    5. Absolutely no refunds will be provided except for the reason mentioned above.

    Parent says: Looking at the motivation this guy has, I can't really see how it can be good.

    It calls to attention that a critical vulnerability will go unpatched for months after it has been properly disclosed. That is the way that it can be good.

    --
    music lover since 1969
  7. Argh! by JRHelgeson · · Score: 4, Informative

    The auction was canceled and I was the high bidder too!
    Here's a mirror of the auction.

    Joel

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  8. The funniest part... by krbvroc1 · · Score: 4, Funny

    From the auction: Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout

  9. Re:Supression of information is a necessary by Ph33r+th3+g(O)at · · Score: 4, Interesting

    In the first case, yes. In fact, that right has already been upheld and Esquire (IIRC) published an article that describes how to make a nuclear weapon. In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to, and that's not a valid comparison. I find it ironic that someone with the name "think freely" would argue in favor of suppression of information.

    --
    I too have felt the cold finger of injustice.
  10. It broke the "ebay doesn't like it" rule by Sycraft-fu · · Score: 4, Insightful

    eBay has no obligation to list anything in particuar. It is in their best intrests to list most auctions without objection since the more that sells the more money they make, but there's no obligation. If eBay management decided that they wanted to ban selling of all religious items or something, they'd be well within their rights.

    Now if I worked for eBay and was the guy with his finger on the button, so to speak, for canceling autions, I'd pull this. Why? Well simple cost-benefit analysis:

    It's entirely possible, even likely, this guy is lying (I'm talking from their perspective, pre MS announcement) and thus we'll just get invloved with having to refund someone's money in the end. But let's assume he's telling the truth. In that case we would be on the hook for a ton of bad publicity since no doubt the press would eat up the story of eBay welling hacking instructions, and we might even be civily or criminaly liable for knowingly allowing this to go on. Now weigh that against the 2% or so we'd make from the final sale, maybe a few hundred at most if the auction gets bid way up. Not even a blid on our balance sheet. Thus, we cancel the auction.

    eBay's a business, pure and simple. They'll let you sell whatever you want (for a cut) unless they feel what you are selling might cause them trouble. That's why they ban some entire classes of items, like firearms. It's not illegal to sell firearms on the Internet, and there are sites that do it. However it's trickey, since they have to be shipped to a licensed dealer and so on. It exposes you to a lot more liability, liability eBay doesn't want, so they just outright ban them.