[ISN] eBay Yanks Listing For Excel Bug

InfoSec News isn at c4i.org
Mon Dec 12 03:16:42 EST 2005


Forwarded from: Marjorie Simmons <lawyer at carpereslegalis.com>

http://www.techweb.com/wire/ebiz/174910093

By Gregg Keizer
TechWeb News
December 09, 2005

An unknown security researcher tried to sell a vulnerability in
Microsoft's Excel spreadsheet program on eBay, but the online auction
site pulled the listing late Thursday.

The unusual route to vulnerability profit-taking was squashed by eBay
after the listing--offered by someone only identified as
"fearwall"--was bid up to just under $60.

According to the since-yanked listing, the zero-day vulnerability in
Excel had been reported to Microsoft on Tuesday, Dec. 6. "All the
details were submitted to Microsoft, and the reply was received
indicating that they may start working on it," wrote the seller. "It
can be assumed that no patch addressing this vulnerability will be
available within the next few months."

The unpatched vulnerability is in the way that Excel, the popular
spreadsheet included in all editions of Microsoft's Office suite,
validates the data in some worksheets when it parses files.

"The vulnerability can be exploited to compromise a user's PC,"
claimed the seller.

He also took several potshots at Microsoft, saying that the opening
bid of $.01 was "a fair value estimation for any Microsoft product"
and offered a 10 percent discount to any Microsoft employee who
mentioned the discount code "LINUXRULZ."

A spokeswoman for Microsoft confirmed that the listing on eBay was for
a real bug in Excel. "The Microsoft Security Research Center has not
been made aware of any attacks attempting to use the reported
vulnerability or customer impact at this time, but [it] will continue
to investigate the public reports to help provide additional guidance
for customers," she said in an e-mail to TechWeb.

The spokeswoman also said that Microsoft's researchers were
investigating the vulnerability, and might (or might not) release
either a fix or a security advisory in the future.

"The company is working with eBay to determine the appropriate course
of action," against the seller, she also said.





More information about the ISN mailing list