News
News
12/9/2005
01:04 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hacker Tries To Sell Excel Flaw On EBay

According to the since-yanked listing, the zero-day vulnerability in Excel had been reported to Microsoft on Dec. 6. "It can be assumed that no patch addressing this vulnerability will be available within the next few months," the seller wrote.

An unknown security researcher tried to sell a vulnerability in Microsoft's Excel spreadsheet program on eBay, but the online auction site pulled the listing late Thursday.

The unusual route to vulnerability profit-taking was squashed by eBay after the listing--offered by someone only identified as "fearwall"--was bid up to just under $60.

According to the since-yanked listing, the zero-day vulnerability in Excel had been reported to Microsoft on Tuesday, Dec. 6. "All the details were submitted to Microsoft, and the reply was received indicating that they may start working on it," wrote the seller. "It can be assumed that no patch addressing this vulnerability will be available within the next few months."

The unpatched vulnerability is in the way that Excel, the popular spreadsheet included in all editions of Microsoft's Office suite, validates the data in some worksheets when it parses files.

"The vulnerability can be exploited to compromise a user's PC," claimed the seller.

He also took several potshots at Microsoft, saying that the opening bid of $.01 was "a fair value estimation for any Microsoft product" and offered a 10 percent discount to any Microsoft employee who mentioned the discount code "LINUXRULZ."

A spokeswoman for Microsoft confirmed that the listing on eBay was for a real bug in Excel. "The Microsoft Security Research Center has not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but [it] will continue to investigate the public reports to help provide additional guidance for customers," she said in an e-mail to TechWeb.

The spokeswoman also said that Microsoft's researchers were investigating the vulnerability, and might (or might not) release either a fix or a security advisory in the future.

"The company is working with eBay to determine the appropriate course of action," she also said.

[Update, Monday, Dec. 12; 12:45 pm: The original article included the phrase "against the seller" after the preceding quote, outside of the quotation marks. That was incorrect; Microsoft is working with eBay to determine a general course of action to protect its customers. ]

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.