Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug Microsoft Security The Almighty Buck The Internet

MS Excel exploit on auction 179

Posted by Hemos from the brave-new-world dept.
geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.
This discussion has been archived. No new comments can be posted.

MS Excel exploit on auction More

MS Excel exploit on auction

Comments Filter:

  • More information and a few questions: (Score:5, Interesting)

    by TripMaster Monkey ( 862126 ) * on Monday December 12, 2005 @10:41AM (#14238318)

    First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:
    • The actual article [securityfocus.com] on SecurityFocus (not the abbreviated discussion article referenced in TFS).
    • The full text of the auction [osvdb.org], courtesy of the good folks at the OSVDB blog.
    • The screenie [osvdb.org] of the actual eBay auction, again courtesy of OSVDB.

    From the auction text:
    The lot: One 0-day Microsoft Excel Vulnerability

    Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

    A percentage of this sale will be contributed to various open-source projects.
    Second, two questions:
    1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
    2. Exactly which eBay rule did this auction break?


    Discuss.

    • Re:More information and a few questions: (Score:5, Funny)

      by generic-man ( 33649 ) * on Monday December 12, 2005 @10:43AM (#14238331) Homepage Journal
      The seller violated eBay's policy of Don't Fuck With Microsoft [slashdot.org].

    • Re:More information and a few questions: (Score:4, Insightful)

      by Zeinfeld ( 263942 ) on Monday December 12, 2005 @10:49AM (#14238385) Homepage
      As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?

      No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

      EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

      This is not 'full disclosure', its selling information to the criminals.

      • Re:More information and a few questions: (Score:5, Insightful)

        by Ph33r th3 g(O)at ( 592622 ) on Monday December 12, 2005 @10:51AM (#14238403)
        You mean a security researcher or corporate security officer couldn't have used that information? People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.
        • Hopefully this one. It will be a good lession in not shitting in your own nest.
          Let the revolution begin, i say.
        • People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.

          "As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting

          • People who believe that the suppression of information is okay because it could be misused are heading down a dark road, the price of return from which will have to be paid in blood someday by a future generation.
            ------
            "As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constri
        • So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production? How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security? How about the security codes to your house alarm?

          Supression of information is a necessary fact of life in a world where information can be used to harm others.

          This does not justify supressio

          • Re:Supression of information is a necessary (Score:2, Insightful)

            by Anonymous Coward

            So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production?

            Various law enforcement agencies would find the contact info useful...

            How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security?

            I'd rather have leaked codes public and changed then known in a limited group (same for any other "secret" codes.) Anyw

          • Re:Supression of information is a necessary (Score:5, Interesting)

            by Ph33r th3 g(O)at ( 592622 ) on Monday December 12, 2005 @12:14PM (#14238982)
            In the first case, yes. In fact, that right has already been upheld and Esquire (IIRC) published an article that describes how to make a nuclear weapon. In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to, and that's not a valid comparison. I find it ironic that someone with the name "think freely" would argue in favor of suppression of information.
            • In fact, that right has already been upheld and Esquire (IIRC) published an article that describes how to make a nuclear weapon.

              Do you have links?

              In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to

              Isn't that somewhat circular logic? It's OK to supress information that's classified, but only because it's classified as top secret by the government? Why is it top secret? Isn't that the reason it's classified?

              I find it iron
          • There's an obvious distinction between someone's security code for their alarm system, and a fundamental flaw in the particular alarm system that allows you to bypass the security code. The latter should definitely become public information after the vendor is able to address the issue, or if they choose to ignore it.
            • What is the difference? Both are pieces of information that would allow you to gain entry to the person's home.

              Perhaps you saw the person type in that security code. If you saw them type it in, is there not a chance that somebody else did as well? Perhaps the owner of the home doesn't take his system seriously enough and occasionally tells people his code.

              By releasing this information, and making sure you know he released it, he will be more likely to change that security code... in the same way the maker o
              • Big difference. If I gave out my security code to people, accidentally or purposefully, it would be my fault that my house was broken into. If the company has a flaw with their security system, it's their fault that my house is broken into. If it's public knowledge that there is this security flaw, I could possibly keep it from occuring in my house as well as complain to the company to try to get it fixed.
                • How does that make any difference regarding the supression of the information? Why does it matter whose "fault" it is?

                  If your security code is public knowledge, are you not more likely to change it?

                  It's an arbitary distinction.

                  • You seem to have answered your own question, and contradicted your original theme at the same time.

                    Yes, if you oversee me type in my security code, I would much rather you tell me you know it and that you are going to publish it, and then have you publish it, than have you walking around secretly knowing my code. If you tell me it is compromised, and will be made public you are 'darn'd tootin' I'm going to change it as soon as possible, and implement better procedures to keep it from leaking in the futu
              • Besides the other replies, most of which are reasonable, you're drawing an apples and oranges comparison. The security code is the secret. The method by which you obtained it is the flaw. Disclosure of the flaw is reasonable. Disclosure of the secret (usually) is not. Disclosure should also be to affected parties - if you know your neighbors code because the keypad is visible from the street, then you should tell him that. There's no special need to publish that widely, because only your neighbor is affecte
              • I'm going to throw one last comment in here, might have already been covered. The major distinction is the security code belongs to a private entity, he isn't advertising access to his house or a competition to break in. The company selling the home security system is marketing the system as something that keeps your house safe, and convincing people to pay them money for a product that should improve the security of their home. If there is a fundamental flaw in the system, the consumer who has been misinfo
          • "So is it OK for me to provide a detailed description of how to make a suitcase nuclear weapon, including people to contact to get the materials used in its production? How about the nuclear launch codes and how to use them? How about some top secret security codes used for encryption of data regarding national security? How about the security codes to your house alarm?"

            Yes. Again, yes. If you can obtain it, yes. Sure.

            Truth is, you couldn't do any of that if you tried. I could do the first and second, b
            • Wow, did you totally miss the point.
              • No, no I didn't. The point is that individuals keep information secure, not laws. Data like security codes and instructions for dangerous items, when open to the public, become quickly useless - as the individuals charged with keeping the information secret either change the information, or make the information only a peripheral requirement.

                Laws won't help. They're way too nonfluid to be able to adapt to the number of situations needed to handle security issues. The only thing that does help is an alert

          • You appear to want to draw a line in the sand, pitching some examples to suggest its proximity, but no matter how much you assert its existence, I don't see it. I hope I'm not standing on your invisible friend.

            I'm trying to make a subtle point here. Think! I know this is Slashdot, but someone will get it.

        • Or moreover, you mean a 'legitimate' spyware, adware, or other intrusive software company coundn't use something like this?

          I mean, those such companies haven't been shut down yet, how illigitimate could they be?

      • No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

        So you're asserting that a security professional could not use the information to create a patch or fix for this vulnerability?

        EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

        I'm having a hard time finding the exact violation on eBay's prohibited and restricted items page [ebay.com]. Think you could point
        • Think you could point it out for me?

          Sure, right here. [ebay.com]: "Without limiting other remedies, we may limit, suspend, or terminate our service and user accounts, prohibit access to our website, remove hosted content, and take technical and legal steps to keep users off the Site if we think that they are creating problems, possible legal liabilities, or acting inconsistently with the letter or spirit of our policies."

          And right here [ebay.com]: "eBay alone will exercise its judgment in deciding which listings are not permiss

      • Re:More information and a few questions: (Score:5, Insightful)

        by RaymondInFinland ( 103909 ) on Monday December 12, 2005 @10:57AM (#14238462)
        No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
        What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.

        EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
        So vulnerabilities are now illegal material? Better call the cops and the feds to shut down Microsoft because they seem to be producing a lot of them.

        This is not 'full disclosure', its selling information to the criminals.
        Wouldn't that depend of the person who would have won the auction? See also point 1).
        • No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

          What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.

          Exactly. From the Microsoft viewpoint, trying to secure anything without their permission or use of another one of their products is criminal.

          Stop questioning Microsoft y

        • Except those issues are completely devoid of relevance. This isn't the Supreme Court deciding whether the auction should be legal because of "substantial noninfringing uses." This is solely an incident of a private entity deciding not to do business with another private entity. eBay is entitled to deny any listing for any reason it chooses, and the only measure of whether that decision was right or wrong is whether or not it protects eBay's interests. The only justification they need is that they didn't
      • anyone who has excel can use this knowledge to make a choice: do I continue to use excel, or do I use something else? the guy did nothing criminal.

      • Re:More information and a few questions: (Score:5, Insightful)

        by krgallagher ( 743575 ) on Monday December 12, 2005 @11:08AM (#14238531) Homepage
        "This is not 'full disclosure', its selling information to the criminals."

        Cosidering that the opening bid was set at $0.01, I doubt he really expected to profit. Instead he probably just wanted to call public attention to the exploit and force Microsoft to address it quickly.

      • No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.

        Criminals, yes, and everyone who is considering which program to use, as well as anyone who uses Excel - after all, knowing an exploit might help one avoid situations where one might be vulnerable.

        EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.

        If information about vulnerabilities is i

      • No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal...

        Bullshit.
        To paraphrase one of the full-disclose list participants...
        It's ok for cert to sell 0-days or idefense to buy 0-days and sell info to clients? Because that's whay they do, but that's ok?

        EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material...

        Just what, exactly, is this alleged "illegal mate

    • Re:More information and a few questions: (Score:5, Interesting)

      by sh00z ( 206503 ) <sh00z.yahoo@com> on Monday December 12, 2005 @10:52AM (#14238412) Journal
      2. Exactly which eBay rule did this auction break?
      Probably the restriction on downloadable media [ebay.com], because the seller stated intent to e-mail the file, but did not explicitly state that he is the copyright owner of the electronic file(s) for sale. It seems that M$ would have had a court injunciton to prove criminal intent.

    • Exactly which eBay rule did this auction break?

      I guess Ebay rules are just like actual laws: it doesn't really matter whether you actually broke one; there are so many laws, some very vague, that almost anything can fall under one law or another with a bit of rationalization. Just look at the Constitution, today's federal govt. is completely different from that of 1788, even though the federal govt. is supposedly established by the Constitution which has hardly changed at all.

    • $0.01? A bit of an over-estimation, surely?

    • It broke the "ebay doesn't like it" rule (Score:5, Insightful)

      by Sycraft-fu ( 314770 ) on Monday December 12, 2005 @12:38PM (#14239161)
      eBay has no obligation to list anything in particuar. It is in their best intrests to list most auctions without objection since the more that sells the more money they make, but there's no obligation. If eBay management decided that they wanted to ban selling of all religious items or something, they'd be well within their rights.

      Now if I worked for eBay and was the guy with his finger on the button, so to speak, for canceling autions, I'd pull this. Why? Well simple cost-benefit analysis:

      It's entirely possible, even likely, this guy is lying (I'm talking from their perspective, pre MS announcement) and thus we'll just get invloved with having to refund someone's money in the end. But let's assume he's telling the truth. In that case we would be on the hook for a ton of bad publicity since no doubt the press would eat up the story of eBay welling hacking instructions, and we might even be civily or criminaly liable for knowingly allowing this to go on. Now weigh that against the 2% or so we'd make from the final sale, maybe a few hundred at most if the auction gets bid way up. Not even a blid on our balance sheet. Thus, we cancel the auction.

      eBay's a business, pure and simple. They'll let you sell whatever you want (for a cut) unless they feel what you are selling might cause them trouble. That's why they ban some entire classes of items, like firearms. It's not illegal to sell firearms on the Internet, and there are sites that do it. However it's trickey, since they have to be shipped to a licensed dealer and so on. It exposes you to a lot more liability, liability eBay doesn't want, so they just outright ban them.
      • ...what's to stop any random idiot from claiming your auction is violating something or other and telling eBay to pull your auction? Case in point: some organization calling itself "SIIA (The Software & Information Industry Association)" has pulled my wife's auction of a set of Kaplan USMLE study books...wait for it...which she bought on eBay. Lots of other auctions for the exact same items stay on and go through to completion. Sounds like someone doesn't like competition and knows how to game the s
    • 1) Actually, not irresponsible at all. It was BRILLIANT. Look at how quickly Microsoft responded when they found out the amount of interest (as in actual dollars) in the exploit! Meanwhile, it opens up a new concept: error markets. Call it an economic model of closed-source debugging. Those who ferret out and learn an exploit for a piece of software put it on an open market.

      The software companies responsible compete at the small-fee level with various others to determine how much that error has cost th

  • What was the grounds for pulling the auction? (Score:5, Insightful)

    by Ph33r th3 g(O)at ( 592622 ) on Monday December 12, 2005 @10:42AM (#14238323)
    eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently.

    • Re:What was the grounds for pulling the auction? (Score:4, Insightful)

      by mrRay720 ( 874710 ) on Monday December 12, 2005 @10:57AM (#14238460)
      ----
      eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently
      ----

      I don't see anything wrong in charging a nominal fee for redistributing public domain work. It's not as if it's not still free somewhere else, it just saves you the effort of going out and rounding it up yourself. In a world of 'money first', allowing this can only help that little bit extra to keep said work alive. How is this different to the books of Dickens still being printed and charged for? The words themselves are free now, but you're paying for them to be wrapped up in a little paper package for you.

      Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.

      Quite how either of those are like someone trying to make a profit from selling info of a vulnerability potentionally harming millions to a virus writer is beyond me though.

      One is making a bit of money (indirectly) helping to keep public domain work alive, the other is trying to profit from the harm of others.

      • Re:What was the grounds for pulling the auction? (Score:5, Insightful)

        by ultranova ( 717540 ) on Monday December 12, 2005 @01:37PM (#14239688)

        Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.

        No they don't. The naive and/or stupid don't deserve to get ripped off any more than old people deserve to get their hipbones broken, or people who don't do martial arts deserve to get beaten up by muggers. These all happen, but they are not right, just nor the way things should be. That someone is weak is not sufficient justification for others to prey on him.

        I really hate this callous attitude of "If someone can't protect themselves, they deserve to have bad things happen to them, especially if it helps someone else to line their pockets". Especially since the people saying so are the first ones to complain when a bigger bastard, be it government or big business, makes them the ones who get ripped off.

        I guess it is fashionable today to preach about "personal responsibility" and pervert that to mean an attitude of utter pitilessness towards other human beings. Notice how these people are talking about others personal responsibility as an excuse for their heartlessness. They demand that their property is protected by law, but when that same law is used to provide food and shelter to other human beings - indeed, as soon as they are not the ones getting the benefits - these people start to loudly complain about "nanny state", "communism" or other similar things.

        Sorry for the offtopic rant, but I'm just so sick of this nonsense.

        • They demand that their property is protected by law, but when that same law is used to provide food and shelter to other human beings - indeed, as soon as they are not the ones getting the benefits - these people start to loudly complain about "nanny state", "communism" or other similar things.

          I agree with much of what you say, but I think that you chose a bad example above. In the first case, those people are happy that the government is "allowing" them to use their property as they see fit. In the sec

    • But if Microsoft doesn't like an auction, it's gone, apparently.
      Maybe it has something to do with this [microsoft.com]?

  • Heh... (Score:5, Funny)

    by the_skywise ( 189793 ) on Monday December 12, 2005 @10:46AM (#14238348)
    Now THAT'S capitalism!

    (Or at least a good demonstration of Ferengi behavior...)

  • You can buy anything on Ebay (Score:4, Funny)

    by ATeamMrT ( 935933 ) on Monday December 12, 2005 @10:47AM (#14238360)
    Someone had put up for auction on eBay the details of an exploit in Microsoft Excel

    I'll buy that one as soon as I buy the product which tells me how to remove all spyware by formatting my hard drive. It's only $7.95, and he sends the PDF file as soon as payment is recieved. Now if only I knew how to open a PDF file. :(

    Maybe I'll search ebay, and someone can sell me a product which tells me how to open a PDF file. :) :)

    But first, I need to bid on this guy who claims he can teach me how to get Plasma TV's for free from the manufacturers. He says in his ebay auction that manufacturers don't have enough people to test their product and they want me to help them!

    Ebay is more good than bad, but how can these people sell garbage?

    If the guy is selling information on how to exploit software, doesn't that violate the DCMA?

    I guess I should not complain. Ebay is the only place I know of that has everything, the worlds largest flea market.

  • The seller openly taunts the software giant, poking fun at the company's delays in providing fixes for known security bugs. "It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product),"

    Wait, so this is all just a taunt and not true?

  • Bad auction (Score:5, Insightful)

    by mrRay720 ( 874710 ) on Monday December 12, 2005 @10:49AM (#14238384)
    Looking at the motivation this guy has, I can't really see how it can be good.

    So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
    This meets neither of those criteria.

    - looking to make a profit from releasing details of a vulterability
    - phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"

    Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.

    What a great guy.

    • Just as with auctions of body parts and stolen merchandise, eBay reserves the right to pull any auction that it deems is against the best interests of eBay and the community it serves. It's like "at-will" hiring; if they think there's a liability involved (and when it come to Microsoft, how could there be any doubt BG is on the phone to his lawyers) they'll yank it. They also have a habit of reporting these things to the authorities, so the script kiddie involved may get a knock on the door from the FBI [fbi.gov]. Me

    • I Don't think you read the RTFA (Score:5, Informative)

      by djdavetrouble ( 442175 ) on Monday December 12, 2005 @11:06AM (#14238514) Homepage
      and shame on the moderators as well. This is obviously either a publicity stunt or this guy is just
      having some fun and saying fuck you M$ in a very public arena. Did you read this hilarious part?

      Special offers:
      Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.

      parent says: phrasing the auction in a way that makes it clear he wants the buyer to do something bad

      No, specifically forbidden by auction text, with no winks or smilies or anything ironic.
      Your bid indicates that you agree to the following:
      1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
      research purposes only.
      2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
      3. The seller will accept no responsibility for anything you do with this information.
      4. The seller cannot be held liable under any circumstances.
      5. Absolutely no refunds will be provided except for the reason mentioned above.

      Parent says: Looking at the motivation this guy has, I can't really see how it can be good.

      It calls to attention that a critical vulnerability will go unpatched for months after it has been properly disclosed. That is the way that it can be good.

    • Looking at the motivation this guy has, I can't really see how it can be good.

      What? Are you implying that greed is not always good? It's elementary Econ. 101: he has the supply, and spammers have the demand. Were he not to unleash this vulnerability on all of us, he'd be violating his sacred fiduciary responsibility to maximize shareholder value. Besides, he and the buyer are both consenting adults, what right do we have to interfere with their freedom? Don't you think the invisible hand will solve

      • If by "Invisible Hand" you mean General Grievous' flagship, then yes, I expect it will solve the issue for us

        http://www.starwars.com/databank/starship/tradefed erationcruiser/?id=eu [starwars.com]

        Once the war erupted, such subtlety was lost and Grievous was tasked to take worlds by force. The Invisible Hand, leading the charge of a Microsoft flotilla, grew to be feared in the distant Outer Rim and other unprotected regions of space.

        Weapons:
        14 quad turbolaser turrets;
        34 dual laser cannons;
        2 ion cannons;
        12 point-defense ion

    • Re:Bad auction (Score:2, Insightful)

      by fufinache ( 787019 )
      I think the the seller was trying to get microsoft's patch team into 2nd gear. It sounds like he just thought that making a bit of money out of it would be a side effect for him (look at the original posting price, 1 cent is hardly any profit).

      Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.

      Does that mean

    • So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO.

      So? The open-source world fixes vulnerabilities in one or two days. Where's the patch for Excel?

      Microsoft has more money, developers, and R&D facilities than I care to count. They have several orders of magnitude more than it would take to fix these vulnerabilities quickly. They choose not to.

      (b) requests for fixes have fallen on deaf ears or

  • Who is the bigger sucker here? (Score:4, Interesting)

    by digitaldc ( 879047 ) * on Monday December 12, 2005 @10:51AM (#14238398)
    Who is the bigger sucker?

    The people who bid on an exploit to make Excel crash? Or those who believed that this was a critical security flaw? Or Ebay for posting it in the first place?

    If you really want to know how to make Excel crash, pick your poison - here is a free link:
    http://search.microsoft.com/search/results.aspx?st =b&na=88&View=en-us&qu=excel+crash [microsoft.com]
    • The bug is believe to be a buffer overflow. This makes it a perfect canidate to execute malicious code within excel. Imagine being able to send an excel file to another company you don't think is being truthful with you and r00ting some of their boxen. You could pretty much spy on them all day without antivirus or antispyware picking you up. Imagine sending the excel file to a game developer and stealing source code for an upcoming game *hint* *hint*. 0-day exploits and unknown exploits are a serious proble

      • Imagine sending the excel file to a game developer and stealing source code for an upcoming game *hint* *hint*.

        Why would a game development firm have the programmers open incoming e-mail ? They are busy enough trying to get the game out before christmas. PR department opens the e-mail - you just can't trust the developers to think of PR when responding to some flamebait letter after an all-nighter. And why, oh why would the programmer have Excel on the development machine ?

        • Why would a game development firm have the programmers open incoming e-mail ? They are busy enough trying to get the game out before christmas. PR department opens the e-mail - you just can't trust the developers to think of PR when responding to some flamebait letter after an all-nighter. And why, oh why would the programmer have Excel on the development machine ?

          Why don't you ask Valve [gamespot.com] those questions?

  • Censorship? (Score:3, Interesting)

    by canuck57 ( 662392 ) on Monday December 12, 2005 @10:52AM (#14238411)

    ...meantime the original listing on eBay has been pulled.

    Why should not one be able to sell a vulnerability since they are in fact commodities?

    If you can profit from making them, profit from dealing with them then why not profit by discovering them? There are precidents like this, the patent system has companies that hold patents for no other reason than to sue other companies when they trip on a patent.

    All this will do is force the practice underground. Mind you, it does let the world know it is going on.

  • Pricing? (Score:2, Interesting)

    by DynamicPhil ( 785187 )
    Actually, a much more intresting dussion is the:

    How would you go about setting the price of a security hole? What is the worth?

    "By monetary value of what could be lost exploiting the hole", or something else? Estimation of possible gains (user data like credit card info) through usage of the hole - the perpetrators view?

    Because, lets face it: There are people out there willing to pay for information like this.
    (and I'm not saying its right - just stating the fact). There are also others wondering how

    • Estimation of possible gains (user data like credit card info) through usage of the hole - the perpetrators view?

      That's what I'd say it's worth (minus the cost of exploiting of course), since it's the perpetrator who'll be paying for it. It doesn't matter if it costs someone else a lot more than you make - consider how you price say property development rights, not by how much value the houses nearby lose but by how much you can sell what you build for.

    • Well alright lets run with this idea (Score:4, Interesting)

      by SmallFurryCreature ( 593017 ) on Monday December 12, 2005 @12:14PM (#14238976) Journal
      A security hole on its own has zero value. Take for instance those 1 dollar number locks you can get for your luggage. I can tell you how to break them but big deal. Not because a wire cutter will also work (that would leave evidence that the lock has been broken) but because the attached value is to small.

      A security hole would gets its value from the attached object. A how-to on bypassing shed locks is less value then a how-to on bypassing a bank safe.

      Next would come how easy it is to exploit the security hole. This one seems to require people to open an excell sheet. This obviously makes it off lesser value then say an exploit that works when a user opens a gif file via IE. Even more valauble would be an exploit that does not require the user to do anything but can attack any computer just hooked up to the net.

      Would there be money in it? You bet. Once you got an exploit using it to install a botnet is childsplay and botnets are big business. If you can deliver a 10.000 zombie network there are people willing to pay you hard cash in exchange. Even for just renting it.

      However you would hardly do this over e-bay. There are very few legit uses for a botnet and therefore your potential customers would prefer a less public way of trading it.

      But it does happen. It is one of the reasons we see so few destructive virusses vs the ones that turn a pc into a zombie. Used to be different. Once the majority of virusses either joked or destroyed your machine. Now you just got a zombie. Do I have proof?

      No of course not. Just stories tall tales from the server room and hints that should a company that hosts pay sites wish to do some advertising that they might know ways that do not involve constantly trying to find the next provider willing to be placed on a ban list for spam.

      Spam sells, ISP's are unwilling to hosts spammers, so the only question is, will spammers pay for a botnet that can do their spamming. Does the pope shit in the woods?

  • Microsoft cannot handle the competition (Score:4, Funny)

    by erroneus ( 253617 ) on Monday December 12, 2005 @10:57AM (#14238458) Homepage
    People are already paying for vulnerabilities in Microsoft software. They get them as part of the purchase of software licenses. (Now, having actual KNOWLEDGE of such vulnerabilities is another matter I suppose...)

  • Fire under microsoft (Score:3, Insightful)

    by muindaur ( 925372 ) on Monday December 12, 2005 @10:57AM (#14238461) Journal
    I dont think it was very irresponsible, maybe only a little, it just lights that fire under Microsoft to fix it. Considering my lack of using unkown excel files I'm not too worried about it. Like some other posts say, it brought much less attention to the exploit than e-bay pulling it did.

  • Argh! (Score:5, Informative)

    by JRHelgeson ( 576325 ) on Monday December 12, 2005 @11:08AM (#14238528) Homepage Journal
    The auction was canceled and I was the high bidder too!
    Here's a mirror of the auction. [heapoverflow.com]

    Joel

  • A honest days pay for an honest days work (Score:3, Insightful)

    by CmdrGravy ( 645153 ) on Monday December 12, 2005 @11:09AM (#14238536) Homepage
    It seems to me that E-Bay are behaving somewhat unfairly in pulling this auction. The seller has clearly devoted some time and effort into discovering this piece of information and has behaved responsibly by informing Microsoft of the problem in their software.

    I see no reason why he shouldn't be compensated for the work he's done here and if Microsoft aren't paying him then it's only fair that he offers his work to the highest bidder, it's perhaps unfortunate for Microsoft that he can leverage the most value for his work before they have had a chance to patch the problem but the seller doesn't have any obligation to Microsoft and their problems are no concern of his.

  • The funniest part... (Score:5, Funny)

    by krbvroc1 ( 725200 ) on Monday December 12, 2005 @11:15AM (#14238568)
    From the auction: Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout
  • I was reading through ebay T&C, because the article made me curious.

    I, for one, am very disappointed that I cannot list a prohibited country [ebay.com] for sale:

  • This could be the start of a good way to embarrass companies into fixing bugs AND punishing bad people. Evil person wants to use the exploit, so they bid. Microsoft don't want the exploit usable, so they fix it (run with me on this one for a moment) The clever bit is, the Seller (who is honest, intelligent and socially responsible) sets the auction expiry time far enough into the future to cause a race between the two. M$ are put on public notice when the exploit becomes usable. If they win the race, Evil
    • The clever bit is, the Seller (who is honest, intelligent and socially responsible) sets the auction expiry time far enough into the future to cause a race between the two.

      eBay limits when you can set an auction to expire; I believe the maximum allowed is ten days.

      Also note that an exploit Microsoft has already patched can still be dangerous, since most people don't update that often.
  • I'm pretty sure it was meant as a joke, he just took a chance to jab at MS. Don't take it too seriously. After all, he only wanted 1 cent for it.
  • I understand why they pulled it. Think about it...you've managed to collect about 10 people with a lot of money and bad reputations, along with about 10 people with a lot of money and a lot to loose to the people with the bad reputations. They're all there and you offer for auction the world's best superweapon. We'll call it a frickin' laser for the sake of argument. So you start bidding on the frickin' laser at $.01 and somebody dishonest makes an offer. This is immediately followed by another dishonest gu

  • WAAAYYY overpriced (Score:3, Funny)

    by SHP ( 8391 ) on Monday December 12, 2005 @01:23PM (#14239571)
    I thought M$ bugs were a dime a dozen.

    -SHP
  • Hunting stores sells lots of guns and knives all the time, and if someone buys one of these and kills someone else the hunting store is not to blame. Just as this guy should not be blamed it his sale had lead to a misuse of the exploit.
  • This stunt just reflects poorly [com.com] on security researchers. Yes it sucks that MS is slow to respond, but threatening to sell the exploit to the highest bidder doesn't help. It just comes off as extortion or aiding virus writers.
  • http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item =6588680836 [ebay.com]

    Apparently he is a researcher that was looking to find the true market value for an exploit by selling it on ebay. Was gonna write a paper.

    Joel

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close