MS Excel exploit on auction 179
geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.
More information and a few questions: (Score:5, Interesting)
First, in the interest of stimulating more informed discusion, here is some more information concerning the auction:
From the auction text: Second, two questions:
Discuss.
Re:More information and a few questions: (Score:5, Funny)
Re:More information and a few questions: (Score:4, Insightful)
No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
This is not 'full disclosure', its selling information to the criminals.
Re:More information and a few questions: (Score:5, Insightful)
Re:More information and a few questions: (Score:3, Insightful)
Let the revolution begin, i say.
obAlphaCentauriQuote (Score:3, Insightful)
"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constricting
Re:obAlphaCentauriQuote (Score:2)
------
"As the Americans learned so painfully in Earth's final century, free flow of information is the only safeguard against tyranny. The once-chained people whose leaders at last lose their grip on information flow will soon burst with freedom and vitality, but the free nation gradually constri
Supression of information is a necessary (Score:3, Interesting)
Supression of information is a necessary fact of life in a world where information can be used to harm others.
This does not justify supressio
Re:Supression of information is a necessary (Score:2, Insightful)
Various law enforcement agencies would find the contact info useful...
I'd rather have leaked codes public and changed then known in a limited group (same for any other "secret" codes.) Anyw
Re:Supression of information is a necessary (Score:5, Interesting)
Re:Supression of information is a necessary (Score:2, Flamebait)
Do you have links?
In the second case, you're talking about classified material that only those with clearances who agreed not to disclose it would be privy to
Isn't that somewhat circular logic? It's OK to supress information that's classified, but only because it's classified as top secret by the government? Why is it top secret? Isn't that the reason it's classified?
I find it iron
Re:Supression of information is a necessary (Score:2)
I disagree with your conclusions, but I now understand your distinction.
I think that the world is a better place because some information is kept secret. I don't view this as a "slipery slope" because I don't view it as an all or nothing question.
Re:Supression of information is a necessary (Score:2)
Re:Supression of information is a necessary (Score:2)
Sory of, though I'm not completely happy with how you worded it.
You can simply not hand out Top Secret information to people who have not already taken a secrecy obligation. And of course it would be quite criminal for someone to break in to a safe to obtain the information.
However if someone does independant physics research and/or public documents research and figures out the mate
Re:Supression of information is a necessary (Score:2)
Re:Supression of information is a necessary (Score:2)
Perhaps you saw the person type in that security code. If you saw them type it in, is there not a chance that somebody else did as well? Perhaps the owner of the home doesn't take his system seriously enough and occasionally tells people his code.
By releasing this information, and making sure you know he released it, he will be more likely to change that security code... in the same way the maker o
Re:Supression of information is a necessary (Score:2, Interesting)
Re:Supression of information is a necessary (Score:2)
If your security code is public knowledge, are you not more likely to change it?
It's an arbitary distinction.
Re:Supression of information is a necessary (Score:2)
You seem to have answered your own question, and contradicted your original theme at the same time.
Yes, if you oversee me type in my security code, I would much rather you tell me you know it and that you are going to publish it, and then have you publish it, than have you walking around secretly knowing my code. If you tell me it is compromised, and will be made public you are 'darn'd tootin' I'm going to change it as soon as possible, and implement better procedures to keep it from leaking in the futu
Re:Supression of information is a necessary (Score:2)
Another arbitrary distinction.
Re:Supression of information is a necessary (Score:2)
If I am told someone's home security number, it is my choice as to whether to release it. Social pressure should be enough to stop me from spreading it, but lets say it doesn't.
I spread the information. The second it gets back to the homeowner, he changes his code and never tells me again, meanwhile, doesn't trust me with anything ever
Re:Supression of information is a necessary (Score:3, Insightful)
Re:Supression of information is a necessary (Score:2)
Re:Supression of information is a necessary (Score:2)
Yes. Again, yes. If you can obtain it, yes. Sure.
Truth is, you couldn't do any of that if you tried. I could do the first and second, b
Re:Supression of information is a necessary (Score:2)
Re:Supression of information is a necessary (Score:2)
Laws won't help. They're way too nonfluid to be able to adapt to the number of situations needed to handle security issues. The only thing that does help is an alert
Re:Supression of information is a necessary (Score:2)
You appear to want to draw a line in the sand, pitching some examples to suggest its proximity, but no matter how much you assert its existence, I don't see it. I hope I'm not standing on your invisible friend.
I'm trying to make a subtle point here. Think! I know this is Slashdot, but someone will get it.
Re:Supression of information is a necessary (Score:3, Insightful)
Are you kidding? Of course not. Excel is used by MILLIONS of people and the testing that needs to go into any kind of patch takes a weeee bit longer than 7 days.
In addition, we have no idea of the implementation details of the patch. Perhaps the offending code actually lives in a system library. This further adds to the time it takes to implement and test a patch.
This guy put the expl
Re:More information and a few questions: (Score:2)
I mean, those such companies haven't been shut down yet, how illigitimate could they be?
Re:More information and a few questions: (Score:3, Interesting)
No, criminal profiteering. The only type of person who could make use of the information apart from Microsoft is a criminal.
So you're asserting that a security professional could not use the information to create a patch or fix for this vulnerability?
EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
I'm having a hard time finding the exact violation on eBay's prohibited and restricted items page [ebay.com]. Think you could point
Re:More information and a few questions: (Score:2)
Sure, right here. [ebay.com]: "Without limiting other remedies, we may limit, suspend, or terminate our service and user accounts, prohibit access to our website, remove hosted content, and take technical and legal steps to keep users off the Site if we think that they are creating problems, possible legal liabilities, or acting inconsistently with the letter or spirit of our policies."
And right here [ebay.com]: "eBay alone will exercise its judgment in deciding which listings are not permiss
Re:More information and a few questions: (Score:5, Insightful)
What about the system administrator trying to secure his networks? There are plenty of legitimate reasons why someone would want to know exactly what the vulnerability is so they are able to stop people from using it.
EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material.
So vulnerabilities are now illegal material? Better call the cops and the feds to shut down Microsoft because they seem to be producing a lot of them.
This is not 'full disclosure', its selling information to the criminals.
Wouldn't that depend of the person who would have won the auction? See also point 1).
Zing! (Score:2)
Exactly. From the Microsoft viewpoint, trying to secure anything without their permission or use of another one of their products is criminal.
Stop questioning Microsoft y
Re:More information and a few questions: (Score:3, Insightful)
Re:More information and a few questions: (Score:3, Interesting)
Ah yes, and a reporter who writes an exposè on rotten airport security and SELLS it to the New York Times is criminal activity any way you shake it.
You have a a bizzare definition of "criminal" and "illegal", and you have no grasp of law. The law does NOT equal "I don't like it".
By the way, if anyone wants to make Nitroglycerine here's how...
Ingredients:
Glycerine
Concentrated sulphuric acid
Concentrated nitric acid
Glyc
Re:More information and a few questions: (Score:2)
Re:More information and a few questions: (Score:5, Insightful)
Cosidering that the opening bid was set at $0.01, I doubt he really expected to profit. Instead he probably just wanted to call public attention to the exploit and force Microsoft to address it quickly.
Re:More information and a few questions: (Score:2, Informative)
Re:More information and a few questions: (Score:2)
Re:More information and a few questions: (Score:2)
Criminals, yes, and everyone who is considering which program to use, as well as anyone who uses Excel - after all, knowing an exploit might help one avoid situations where one might be vulnerable.
If information about vulnerabilities is i
Re:More information and a few questions: (Score:2)
Bullshit.
To paraphrase one of the full-disclose list participants...
It's ok for cert to sell 0-days or idefense to buy 0-days and sell info to clients? Because that's whay they do, but that's ok?
EBay has a right and a duty to stop trade in vulnerabilities same as they have a right and duty to stop trade in any other illegal material...
Just what, exactly, is this alleged "illegal mate
Re:More information and a few questions: (Score:5, Interesting)
Re:More information and a few questions: (Score:2)
I guess Ebay rules are just like actual laws: it doesn't really matter whether you actually broke one; there are so many laws, some very vague, that almost anything can fall under one law or another with a bit of rationalization. Just look at the Constitution, today's federal govt. is completely different from that of 1788, even though the federal govt. is supposedly established by the Constitution which has hardly changed at all.
Re:More information and a few questions: (Score:2)
It broke the "ebay doesn't like it" rule (Score:5, Insightful)
Now if I worked for eBay and was the guy with his finger on the button, so to speak, for canceling autions, I'd pull this. Why? Well simple cost-benefit analysis:
It's entirely possible, even likely, this guy is lying (I'm talking from their perspective, pre MS announcement) and thus we'll just get invloved with having to refund someone's money in the end. But let's assume he's telling the truth. In that case we would be on the hook for a ton of bad publicity since no doubt the press would eat up the story of eBay welling hacking instructions, and we might even be civily or criminaly liable for knowingly allowing this to go on. Now weigh that against the 2% or so we'd make from the final sale, maybe a few hundred at most if the auction gets bid way up. Not even a blid on our balance sheet. Thus, we cancel the auction.
eBay's a business, pure and simple. They'll let you sell whatever you want (for a cut) unless they feel what you are selling might cause them trouble. That's why they ban some entire classes of items, like firearms. It's not illegal to sell firearms on the Internet, and there are sites that do it. However it's trickey, since they have to be shipped to a licensed dealer and so on. It exposes you to a lot more liability, liability eBay doesn't want, so they just outright ban them.
All well and good, but... (Score:2)
Re:More information and a few questions: (Score:2)
The software companies responsible compete at the small-fee level with various others to determine how much that error has cost th
What was the grounds for pulling the auction? (Score:5, Insightful)
Re:What was the grounds for pulling the auction? (Score:4, Insightful)
eBay is infested with public domain repackagers and sellers of "information" that they seem to do nothing about. But if Microsoft doesn't like an auction, it's gone, apparently
----
I don't see anything wrong in charging a nominal fee for redistributing public domain work. It's not as if it's not still free somewhere else, it just saves you the effort of going out and rounding it up yourself. In a world of 'money first', allowing this can only help that little bit extra to keep said work alive. How is this different to the books of Dickens still being printed and charged for? The words themselves are free now, but you're paying for them to be wrapped up in a little paper package for you.
Anyone spending money on an auction for info on how to get a 'free ipod' deserves to get ripped off.
Quite how either of those are like someone trying to make a profit from selling info of a vulnerability potentionally harming millions to a virus writer is beyond me though.
One is making a bit of money (indirectly) helping to keep public domain work alive, the other is trying to profit from the harm of others.
Re:What was the grounds for pulling the auction? (Score:5, Insightful)
No they don't. The naive and/or stupid don't deserve to get ripped off any more than old people deserve to get their hipbones broken, or people who don't do martial arts deserve to get beaten up by muggers. These all happen, but they are not right, just nor the way things should be. That someone is weak is not sufficient justification for others to prey on him.
I really hate this callous attitude of "If someone can't protect themselves, they deserve to have bad things happen to them, especially if it helps someone else to line their pockets". Especially since the people saying so are the first ones to complain when a bigger bastard, be it government or big business, makes them the ones who get ripped off.
I guess it is fashionable today to preach about "personal responsibility" and pervert that to mean an attitude of utter pitilessness towards other human beings. Notice how these people are talking about others personal responsibility as an excuse for their heartlessness. They demand that their property is protected by law, but when that same law is used to provide food and shelter to other human beings - indeed, as soon as they are not the ones getting the benefits - these people start to loudly complain about "nanny state", "communism" or other similar things.
Sorry for the offtopic rant, but I'm just so sick of this nonsense.
Re:What was the grounds for pulling the auction? (Score:2)
I agree with much of what you say, but I think that you chose a bad example above. In the first case, those people are happy that the government is "allowing" them to use their property as they see fit. In the sec
Re:What was the grounds for pulling the auction? (Score:2)
Re:What was the grounds for pulling the auction? (Score:2)
Heh... (Score:5, Funny)
(Or at least a good demonstration of Ferengi behavior...)
Re:Heh... (Score:4, Funny)
If you're not a part of the solution, there's good money to be made in prolonging the problem.
You can buy anything on Ebay (Score:4, Funny)
I'll buy that one as soon as I buy the product which tells me how to remove all spyware by formatting my hard drive. It's only $7.95, and he sends the PDF file as soon as payment is recieved. Now if only I knew how to open a PDF file. :(
Maybe I'll search ebay, and someone can sell me a product which tells me how to open a PDF file. :) :)
But first, I need to bid on this guy who claims he can teach me how to get Plasma TV's for free from the manufacturers. He says in his ebay auction that manufacturers don't have enough people to test their product and they want me to help them!
Ebay is more good than bad, but how can these people sell garbage?
If the guy is selling information on how to exploit software, doesn't that violate the DCMA?
I guess I should not complain. Ebay is the only place I know of that has everything, the worlds largest flea market.
Re:You can buy anything on Ebay (Score:2, Insightful)
One man's Garbage is Anothers Gold.
Re:You can buy anything on Ebay (Score:2, Funny)
You know, you're right. But I remember when I was a wee little nooblet, a lil' bastard at the computer (maybe 15 years old) and I would find endless amounts of entertainment at the number of channels on mIRC.
And some of these channels would have "hackorz" and/or "warez" in the titles. Now, I'm not sure what the 'z' meant but they sure the hell were interesting channels.
A particular channel, you could go in and sa
Re:You can buy anything on Ebay (Score:2)
Re:You can buy anything on Ebay (Score:3, Funny)
Poking fun? (Score:1)
Wait, so this is all just a taunt and not true?
Bad auction (Score:5, Insightful)
So, it was submitted to Microsoft on the 6th, and since then he's recieved a reply stating they'll probably be working on a fix. That was LESS THAN A WEEK AGO. Releasing vulnerabilities is something that, IMO, should only be done if (a) there is some specific need for everyone to know about it right now, or (b) requests for fixes have fallen on deaf ears or otherwise failed for an extended period of time.
This meets neither of those criteria.
- looking to make a profit from releasing details of a vulterability
- phrasing the auction in a way that makes it clear he wants the buyer to do something bad - "It can be assumed that no patch addressing this vulnerability will be available within the next few months"
Sounds to me more like some dumb little script kiddy that got lucky finding a small hole, but doesn't have the ability to do anything with it. Working from an illogical hatred of MS he's trying to get someone else to unleash a virus on the world on his behalf.
What a great guy.
Re:Bad auction (Score:2)
Just as with auctions of body parts and stolen merchandise, eBay reserves the right to pull any auction that it deems is against the best interests of eBay and the community it serves. It's like "at-will" hiring; if they think there's a liability involved (and when it come to Microsoft, how could there be any doubt BG is on the phone to his lawyers) they'll yank it. They also have a habit of reporting these things to the authorities, so the script kiddie involved may get a knock on the door from the FBI [fbi.gov]. Me
I Don't think you read the RTFA (Score:5, Informative)
having some fun and saying fuck you M$ in a very public arena. Did you read this hilarious part?
Special offers:
Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.
parent says: phrasing the auction in a way that makes it clear he wants the buyer to do something bad
No, specifically forbidden by auction text, with no winks or smilies or anything ironic.
Your bid indicates that you agree to the following:
1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
research purposes only.
2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
3. The seller will accept no responsibility for anything you do with this information.
4. The seller cannot be held liable under any circumstances.
5. Absolutely no refunds will be provided except for the reason mentioned above.
Parent says: Looking at the motivation this guy has, I can't really see how it can be good.
It calls to attention that a critical vulnerability will go unpatched for months after it has been properly disclosed. That is the way that it can be good.
Re:Bad auction (Score:3, Funny)
What? Are you implying that greed is not always good? It's elementary Econ. 101: he has the supply, and spammers have the demand. Were he not to unleash this vulnerability on all of us, he'd be violating his sacred fiduciary responsibility to maximize shareholder value. Besides, he and the buyer are both consenting adults, what right do we have to interfere with their freedom? Don't you think the invisible hand will solve
invisible hand (Score:2)
http://www.starwars.com/databank/starship/tradefed erationcruiser/?id=eu [starwars.com]
Weapons:
14 quad turbolaser turrets;
34 dual laser cannons;
2 ion cannons;
12 point-defense ion
Re:Bad auction (Score:2, Insightful)
Does that mean
Re:Bad auction (Score:2)
So? The open-source world fixes vulnerabilities in one or two days. Where's the patch for Excel?
Microsoft has more money, developers, and R&D facilities than I care to count. They have several orders of magnitude more than it would take to fix these vulnerabilities quickly. They choose not to.
(b) requests for fixes have fallen on deaf ears or
Who is the bigger sucker here? (Score:4, Interesting)
The people who bid on an exploit to make Excel crash? Or those who believed that this was a critical security flaw? Or Ebay for posting it in the first place?
If you really want to know how to make Excel crash, pick your poison - here is a free link:
http://search.microsoft.com/search/results.aspx?s
Re:Who is the bigger sucker here? (Score:3, Insightful)
Re:Who is the bigger sucker here? (Score:2)
Why would a game development firm have the programmers open incoming e-mail ? They are busy enough trying to get the game out before christmas. PR department opens the e-mail - you just can't trust the developers to think of PR when responding to some flamebait letter after an all-nighter. And why, oh why would the programmer have Excel on the development machine ?
Re:Who is the bigger sucker here? (Score:2)
Why don't you ask Valve [gamespot.com] those questions?
Censorship? (Score:3, Interesting)
Why should not one be able to sell a vulnerability since they are in fact commodities?
If you can profit from making them, profit from dealing with them then why not profit by discovering them? There are precidents like this, the patent system has companies that hold patents for no other reason than to sue other companies when they trip on a patent.
All this will do is force the practice underground. Mind you, it does let the world know it is going on.
Re:Censorship? (Score:2)
Re:Censorship? (Score:2)
It's called logic. Your library has books on the topic.
Re:Censorship? (Score:2)
Drugs are commodities which cannot always be bought and sold freely because with some of them it is illegal to do this. I don't think it's illegal to sell information about vulnerabilities in software.
The grandparent was trying to say that the selling of vulnerabilities is illegal, which it isn't.
Re:Censorship? (Score:2)
Re:Censorship? (Score:2)
You give your post the name Censorship. This is nothing of the sort. Censorship would be if MS sued or threatened the guy if he posted the vulnerability on a web site.
http://en.wikipedia.org/wiki/Censorship
It does look to me to be suppression of ideas. There isn't a law forbidding the sale of the knowledge about vulnerability and all sorts of different stuff is sold on eBay.
He didnt, he's profiteering from a weakness in someones defences not fighting for freedom of speech. Sticking with the analogy th
Pricing? (Score:2, Interesting)
How would you go about setting the price of a security hole? What is the worth?
"By monetary value of what could be lost exploiting the hole", or something else? Estimation of possible gains (user data like credit card info) through usage of the hole - the perpetrators view?
Because, lets face it: There are people out there willing to pay for information like this.
(and I'm not saying its right - just stating the fact). There are also others wondering how
Re:Pricing? (Score:2)
That's what I'd say it's worth (minus the cost of exploiting of course), since it's the perpetrator who'll be paying for it. It doesn't matter if it costs someone else a lot more than you make - consider how you price say property development rights, not by how much value the houses nearby lose but by how much you can sell what you build for.
Well alright lets run with this idea (Score:4, Interesting)
A security hole would gets its value from the attached object. A how-to on bypassing shed locks is less value then a how-to on bypassing a bank safe.
Next would come how easy it is to exploit the security hole. This one seems to require people to open an excell sheet. This obviously makes it off lesser value then say an exploit that works when a user opens a gif file via IE. Even more valauble would be an exploit that does not require the user to do anything but can attack any computer just hooked up to the net.
Would there be money in it? You bet. Once you got an exploit using it to install a botnet is childsplay and botnets are big business. If you can deliver a 10.000 zombie network there are people willing to pay you hard cash in exchange. Even for just renting it.
However you would hardly do this over e-bay. There are very few legit uses for a botnet and therefore your potential customers would prefer a less public way of trading it.
But it does happen. It is one of the reasons we see so few destructive virusses vs the ones that turn a pc into a zombie. Used to be different. Once the majority of virusses either joked or destroyed your machine. Now you just got a zombie. Do I have proof?
No of course not. Just stories tall tales from the server room and hints that should a company that hosts pay sites wish to do some advertising that they might know ways that do not involve constantly trying to find the next provider willing to be placed on a ban list for spam.
Spam sells, ISP's are unwilling to hosts spammers, so the only question is, will spammers pay for a botnet that can do their spamming. Does the pope shit in the woods?
Microsoft cannot handle the competition (Score:4, Funny)
Fire under microsoft (Score:3, Insightful)
Argh! (Score:5, Informative)
Here's a mirror of the auction. [heapoverflow.com]
Joel
seller's feedback list (Score:3, Interesting)
Looks like the seller just bought a keystroke logger....
Re:seller's feedback list (Score:3, Informative)
Re:seller's feedback list (Score:2)
A honest days pay for an honest days work (Score:3, Insightful)
I see no reason why he shouldn't be compensated for the work he's done here and if Microsoft aren't paying him then it's only fair that he offers his work to the highest bidder, it's perhaps unfortunate for Microsoft that he can leverage the most value for his work before they have had a chance to patch the problem but the seller doesn't have any obligation to Microsoft and their problems are no concern of his.
The funniest part... (Score:5, Funny)
OT: Ebay terms and conditions (Score:3, Funny)
I, for one, am very disappointed that I cannot list a prohibited country [ebay.com] for sale:
This could be a good way to set time limits? (Score:2, Interesting)
Re:This could be a good way to set time limits? (Score:2)
eBay limits when you can set an auction to expire; I believe the maximum allowed is ten days.
Also note that an exploit Microsoft has already patched can still be dangerous, since most people don't update that often.
I Think it's Pretty Funny (Score:2, Insightful)
Seriously.. (Score:2)
WAAAYYY overpriced (Score:3, Funny)
-SHP
He is not to blame (Score:2, Interesting)
Reflects Poorly on Security Researchers (Score:2)
He just posted another auction (Score:2)
Apparently he is a researcher that was looking to find the true market value for an exploit by selling it on ebay. Was gonna write a paper.
Joel
Re:slashdottet? (Score:2)
If you bothered to read Microsofts own guidelines you would see that IIS is the one you need to host the internet, it is also an excellent choice for 'intranets' ( they are like the internet but for companies to tell their staff how many new yachts the sales team have bought and advise on whether the current economic climate will allow the the on-going pay freeze to fin
Re:Heh (Score:2, Interesting)