Excel vulnerability posted on eBay

Printable View

10-12-2005, 07:23 PM
Steve

Excel vulnerability posted on eBay

An auction in which disclosure of a vulnerability in Microsoft's Excel spreadsheet software was being sold has been pulled by eBay, following a complaint by Microsoft. It's not unusual for somebody to disclose details of a vulnerabilty, but selling that information on eBay is a new one.

Quote:

The vulnerability, which could allow a malicious programmer to create an Excel file that could take control of a Windows computer when opened, appears to be real. Members of the Microsoft Security Response Center (MSRC) are investigating the vulnerability report, a spokesperson for the software giant said Thursday night. eBay pulled the auction after Microsoft complained to the company's Trust and Safety Team, said Catherine England, spokeswoman for the online auctioneer.

[Security Focus]
10-12-2005, 08:31 PM
TheAnimus

The morals of some people, not to mention i fail to see how it could compromise a machine? I'm guessing its program injection, as such it should be strickly a user mode problem. Yet if its all versions of office effected one that could spread like wildfire (everyone trusts .xls .doc).

However it could just be a vb script macro.
10-12-2005, 10:26 PM
XA04

I'm guessing it would be some sort of macro, as if it was any other sort of vulnerbility it wouldn't be worth fussing about tbh.
10-12-2005, 11:42 PM
RedPutty

It would be worse if it wasn't a macro and was something you couldn't switch off e.g a very long value in a cell causing a buffer overflow.
11-12-2005, 02:54 PM
poolking

Since this was posted the auction has been removed.
11-12-2005, 03:09 PM
UKMuFFiN

:stop: this is the MSRC! Step away from the keyboard!
12-12-2005, 12:59 AM
TheAnimus

Quote:

Originally Posted by XA04

I'm guessing it would be some sort of macro, as if it was any other sort of vulnerbility it wouldn't be worth fussing about tbh.

Any (compitent) network admin has untrusted scripting macro's disabled.

The thing is information about security holes shouldn't be sold on ebay, its not as if MS don't give dosh for people keeping their mouth shut.
12-12-2005, 01:54 AM
riojin

if i was running ebay id let this one slide. make microsoft pay for the infomation so they can fix their product
12-12-2005, 02:20 PM
TheAnimus

no because it amounts to blackmale, what is there stopping me posting a vunerability about your computer on ebay? Make you outbit everyone who wants to get access?