eBay Pulls Bidding for MS Excel Vulnerability

dipdude

Forerunner
What's the retail value of a security vulnerability in Microsoft Corp.'s Excel spreadsheet program? At last check: $53 and counting.

An unknown security researcher chose a novel way to issue a warning for a code execution flaw in Excel—posting it for sale on eBay. But the auction was pulled late Thursday after discussions between Microsoft and eBay Inc.

When the auction was squashed, the bidding had reached $53 and had attracted 19 offers.

A spokeswoman for Microsoft confirmed that the eBay listing was indeed a legitimate security flaw in Excel. "[We] have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but will continue to investigate the public reports to help provide additional guidance for customers," the spokeswoman said in a statement sent to Ziff Davis Internet News.

The spokeswoman said the company was investigating the report and working with eBay to determine the appropriate course of action to protect Excel users.

In the listing, posted by a seller named "fearwall," the issue is described as a zero-day vulnerability that was discovered on Dec. 6, 2005 and reported to Microsoft.

The seller openly taunts the software giant, poking fun at the company's delays in providing fixes for known security bugs. "It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product)," the listing read.

It said a percentage of the proceeds from the auction would be contributed to various open-source projects.

"Microsoft representatives get 10 percent off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout," it added.

The seller also provides brief details on the flaw, which occurs because Excel does not perform sufficient data validation when parsing document files.

"As a result, it is possible to pass a large counter value to "msvcrt.memmove()" function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a user's PC," according to the listing.

"It is feasible to manipulate the data in the document file to get a code of attacker's choice executed when [a] malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability," it added.

The seller promised to provide the winning bidder with two .xls files—one file is the original Microsoft Excel document, the other one is a copy of the same document modified to demonstrate the vulnerability.

"The demonstration merely triggers the exception causing Excel to crash. It does not do anything malicious. A detailed description of the vulnerability will be provided in the message body."
 
Back
Top