Saturday, December 10, 2005

eBay pulls auction of Excel vulnerability

GameShout reported An online eBay auction was pulled today after a hacker tried to sell a vulnerability of the Microsoft Excel spreadsheet program.

At least hackers are now trying to profit from their work, rather than just sending out viruses to hurt people. Maybe they will soon decide to get jobs at virus protection companies.
The hacker went by the name, "fearwall" and actually had a bid going of under $60. This is a very unusual route to hacker profit making, but the listing was banned and removed by eBay. According to the eBay listing, the zero-day vulnerability in Microsoft Excel had been reported on Tuesday, December 6th. The hacker said, "All the details were submitted to Microsoft, and the reply was received indicating that they may start working on it," wrote the seller. "It can be assumed that no patch addressing this vulnerability will be available within the next few months."

The unpatched vulnerability is in the way that Excel, the popular spreadsheet included in all editions of Microsoft's Office suite, validates the data in some worksheets when it parses files. "The vulnerability can be exploited to compromise a user's PC," claimed the seller. He also took several potshots at Microsoft, saying that the opening bid of $.01 was "a fair value estimation for any Microsoft product" and offered a 10 percent discount to any Microsoft employee who mentioned the discount code "LINUXRULZ."
Another Microsoft hater.
A spokeswoman for Microsoft confirmed that the listing on eBay was for a real bug in Excel. The Microsoft Security Research Center has not been made aware of any attacks attempting to use the vulnerability. Microsoft also said that there were no customer impacts at this time. Microsoft said that researchers were investigating the vulnerability, and might release either a fix or a security advisory in the future.

1 comment:

Don Singleton said...

Curious what your thoughts on this are Don?

It is good that Microsoft is being pressured to plug problems in their software (he had reported it to Microsoft on Tuesday, December 6th. but the reply was received indicating that they may start working on it," wrote the seller. "It can be assumed that no patch addressing this vulnerability will be available within the next few months."

My suspicion is that Microsoft felt it was not that significant a problem, but that does not mean that the warped minds of some hacker could not find a way to make it be a problem.

The only unique thing is that rather than just posting it on a hacker site, he tried to make some money from it.