|
|
|
eBay Pulls Bidding for MS Excel Vulnerability
By: Ryan Naraine
2005-12-09
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
An unknown security researcher chooses a novel way to issue a warning for a code execution flaw in Excel—posting it for sale on eBay. But the auction was pulled late Thursday after the bidding reached $53.Whats the retail value of a security vulnerability in Microsoft Corp.s Excel spreadsheet program? At last check: $53 and counting.
An unknown security researcher chose a novel way to issue a warning for a code execution flaw in Excel—posting it for sale on eBay. But the auction was pulled late Thursday after discussions between Microsoft and eBay Inc.
When the auction was squashed, the bidding had reached $53 and had attracted 19 offers.
A spokeswoman for Microsoft confirmed that the eBay listing was indeed a legitimate security flaw in Excel. "[We] have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but will continue to investigate the public reports to help provide additional guidance for customers," the spokeswoman said in a statement sent to Ziff Davis Internet News.
The spokeswoman said the company was investigating the report and working with eBay to determine the appropriate course of action to protect Excel users.
In the listing, posted by a seller named "fearwall," the issue is described as a zero-day vulnerability that was discovered on Dec. 6, 2005 and reported to Microsoft.
The seller openly taunts the software giant, poking fun at the companys delays in providing fixes for known security bugs. "It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product)," the listing read.
 Two bulletins are on tap for Microsoft Patch Day. Click here to read more.
It said a percentage of the proceeds from the auction would be contributed to various open-source projects.
"Microsoft representatives get 10 percent off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout," it added.
The seller also provides brief details on the flaw, which occurs because Excel does not perform sufficient data validation when parsing document files.
"As a result, it is possible to pass a large counter value to "msvcrt.memmove()" function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a users PC," according to the listing.
"It is feasible to manipulate the data in the document file to get a code of attackers choice executed when [a] malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability," it added.
The seller promised to provide the winning bidder with two .xls files—one file is the original Microsoft Excel document, the other one is a copy of the same document modified to demonstrate the vulnerability.
"The demonstration merely triggers the exception causing Excel to crash. It does not do anything malicious. A detailed description of the vulnerability will be provided in the message body."
Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.
|
|
�������xr8(�ViW1E*d[.kʲ<D{{?.�P`S�/92p=z#�m��)>M3ȩ�����Gl&J~x'AT�{��#�x5��5Κ�}ٚ#7Gp2 X��M$0��kzZ'�jZ�6�(CL��ex,Z�wzD~V�hGe�Ma�oN
�w"�Ntod9�Q�6#RTR/F�<���w��;�FVq�B�
{.Yu^?��خq�8]�b'*#O^3l��bㅰ�H�A-c�9p=�u�#wJ;rMG9"�QcO$ա�Uq�LJAtf>D�>8�z
v
v=rJ�53'
=K�;O=k��N]w=j�P?�b@2hưaqpo! d4V#��kF=Ķ|h�G'�)tq�r�_սYoׁn܍O�ςI�5t�O|BMk6
tI<
Y�C#ʠ�:ڴ�\�V�c�4!�D�&
aAh>[W <{� }�
0&ԟr!DAЂMz>t�T�9�]|�2��Z�9<�({�hk�=`DMWt��CP���DM}���PC��n@�}S(�|`OA=Z�9{ݲeǀxԜ�)u`Hd˕�N��}&@�H>'���hI#r�����
B ,`@n%`9 P�� a�b
.�u@�Gҥ;rjX*�kR1eb -x[b�~I�Lg2+Iɴa���X�9�yDM�f#�T`B[ụLKa�k`DݞrA+żMCF�qiB�Z9,)��Az�dE56Sq'3r@吖3t��f�3��p#EQƔt�Â[x�u|s8���Z\ƈu*C��=��@3~�~�f僪Az3����Bf{����ٌI8��A�0:A̞P��,j\p�>QY~pI�$TEI5ҋS)_4�I
�R >5M+�} 8C��_gM�����cY!�h($'pC!fR;=��Mrʳ"�#��C_7�X>ťHN(m�t'�й+>q^v.iC@Ӭ�YK�uooE[�9(�ĿKӺJ�jp -�H#o`��koռE_x�ue8Hi K-C�rB`}.E�6GQ4�dJ
�&Ϳ�]�ϞZC>c�+�UV�ᏡLXVFV-iV9ִrX,y|�p6X"�@�7w�M)mT.mT^�Χީ;�i6�E;�3|tf:���3?�RlC4ӱH80W�2`a��QUU[�*X[��S�D�2.P\���+���UraҝŅeriQ=o.);UC]JZa6oM��z+�U}�>8`C�LmRM}Bu߲�ӧ㎃WK.hAf2,Ƹ'q?�|��2ex�L,`_C݇l̠::7$ciL�SKm9�p��%&��րziHe� �/Za'�
C�ؚðyU_z?2k��r]ilu�0q`*�Z3se�f+;��T*[Pfۻ(�Q<&�;alâ�#_��� C���>(epHl`_��`@B^���� &@SZ`\F�k���ZCbPD܄wц.�;|P,�,@��ХCkz]W9ë#߬%p�pgw%�eXY8�f�-��1_0kY
�/ÊTU5ݧ�i
~�>EV�6őG�@�q?@*:2
XY 0��(E{耰�⢉�!H�+�����4kpý225\zVU;OP(�;w>k-}4f{F;$�`@"�+j�Ev�~Ia�������Q'3Gŵ5��
�{é�Cf�5Ma�&Fž�JZPk{:`,��[D
zX�È�h��qņ�Z
�
g54};N`[��
kfh�+,s��Jb+�ͤV(EcLEt�jC<ϤMvU)HW�}ˀ�ey�M�`�%ͳq58=_PpnGi�
>יgS�!p<7L�M�2��]մRb/�_��
s*?�=l�)[36PYn20˓�~T�Sc'oa:\
Y GOpOD7fS��"�>sԵйdNcl s��ܒ;��!k̀X'V-7|��8 B�|mi>⇇a9K}rv'<�
hr�͵m��7f>��;" ^ �1='l9L�6[JI)�`uV�EZ)~�)HǞ1|]�ܩe>t1N�;*})#��ʌ�E/S Ymq'&.Ҁ^ߵ�\T3 fkc>�?/c�i�)T",߸X,W̱�'^`�SX�Z>6lz�
�ti:tGM4*H!I�{uO(�Eō:m0T�BE-) Bo����n,��:
⊗q�~Z+�τkox|�A�6�2j=kR>,J'厈�¸�_v�^Iў��b2�aOJ�wٸZ8P#̞úeDi a�\&LX�u@�Z:G*ݔ;Y`'.ӪV�$,< �����Jj$7
rQӊ 5`JR�'0�i[ c��( rQ-��ã,z(�_d�2rY��+`7�'�ʠ��K=� �j ;!�]DZq|V
n�&<1�wOX]dK!M�o$DDOC�V�gX&1W+�ʬڼ f@48'�oן�ZU{�AE@"�j}ߵ?%
?���/l�8F�:~�ݕDw�{?ܶz�G}UO:o[_ �u�_w^suD�DмpыR�q_KKx�4Wuu�)��X|ptu&ڍ�M~l1�|˾WM� $(��X�p���OՋ"qvֺ whg^�py+ @@WN:^-�7�ZWKߧ
?wL.[WM)�^s-y2W#&Ըl}:bO*�a�ٸ �?>m6<M�F�k�d�S�4+�H[3 BX:7g�N,�S�VXKR!�}&�>C�mP6h�ن�{+^�+[�Ě_�f·?B!|J'7oRo2MD�Yk�.NEl�=O[�?qu#1݇a�Twݣd*
e~�=m0첰tC%�<0OL)dJHSI8�z>SB&T5˓$-I^O Eqj�i�e�ʒ��~(h'1ۡX#�ҡۓ�^7G8
(OLkrwisy/Ps��yx�2iI�(5�^q�*�AB|$Hy�0Γ�Jw�鳁VKu^c'�`|xRr�'Tz�@+G"�=tӨaEbӝca��i9F]<��;�{��WQ
=d�ZonW8Zt]ta|c|w�sF�'5\{�>'#塺1&�zN`
s o.�(�cǩm:{@�D'+-R!EkE��wW�UK��O7"�E�'%:#ڮ/=ا�kY\�hdS֛�12�~!OkO=�ri�'&}Xs?�4h�g
@[ɱ=�Ι�a�dOB%�[euw+[c�³��D`GHA|égA� jm9��ntpUE0p1-�Kpj��ulE;ʷ/'Ɏ?eMz��sf2i�1kpߕ_S;��ZR|
� �.��i{\na��'x�{7d\ڊ�}�aK~~�Ɩv/il`0�q4L~@+lFY�:ˬŲ��]&�5��pru_,Hj[آ7tz�,ɧ)a�;Ro1<-@ϣ_�^j-h0 �'�5�?Y6�?ɵ��cƘfF�kP�7:p~ v<']L(qZ0+JMX�JqE:xdQ�Pݯ?��rtϷ�aBftLbG $a�ڥ,VL����(`�pD؉-k8dq&.;} N'7@�x�1;�BG>,1wm�qϐp`h ܂�c!וP����hD1�Y�8��nKz,O��a�Hc.ꤻF9ҷq&ǜwsI��"#��:2cn�}zr� Մ6e�xLu�:��S^�>v�c"Ql-� c�ގ�mEy�SOlk�YYP1`�~
dڰB�wff�r�K{4% Ą8���_XEaU�~
rz6y\/ⴗp%�[,?�Ĺ^"�#I+��R��@q���+?�Mۋ`%DSPKOVx9zhR�a�|:Ե�`��̽�^SR
%��i�����'=�6CoQiGZQʒVږV/.>�AD-�3cP+£ҥϬ�Զ)�<)���� @��> !D!~[X�D$ԟN4W�4f�s�H8�zb̨E+F�W|}Ý")���_�a4 9�F
�� �UR>ڒ���@�cw�Ht-KH�?�m� @�RD"��I�5/Hl�k}CH��EҶ6+f.ثR��`?a߆��Ao*}� �S:dS*c�[UU��℥�p39b8"ũ0]\''''}j>'�˫wMbQ��NG:vz0v���Z&�zon��3� $"
�"^�Q$DSPK[R͋�Ji~n5o�wB�yװh;�$+ ,n d�kT<<,V����G7pDx��[ � [+�H�2-',5p�%T ([Rb)1tԞK-R�tZ^CY�^!9Wc5hz Ϸwf�1zN�z���yDL��
r=vp�KT[d/I�Q��$OL�fo^�G <�-罿%geGMgF\�&((˼J�(b4&}вX��y�
�hfQ%%_q̺�k8W:F&��oбwzsw#���xy2km9�m�ߛ�\]-�NGS&Fޢ���4vƩ>-�KE.eV{�["�6i>b�IxOU:j�u�G��+rv=F�ON�naxwwnl6a�Mri=}횆�G$~mȝ%:Wm��sշ=x{c*%r�S�tM]X@dDR8F����
Y�$!Fd|�!w?�~w\hy]x}ǝa##Pqakq{&~�Kz,�/6s0�a8>Gz���pH��ޯ^?B^��!�v�|}_s
�auk:A�/��E�:'
��+{|'{FNcC6E۸ꂠ,n,n,Η!&իgw�kJB�#��o@�ߞ*~Ѱ�k}ۚ_A�DB�=\̨X\7�,ϗR_�l|��s�ze�L��KT�ayݔqp>[{꘣xʍo���Of�
�wm}+-Bw7F�ֈۯ��ԑ# �4@+ly{ѫ__Ⴂk&`OݩneF��P^%�`srW|kofN��&]uK٠BҚ^@M`�$;65嵙t�m{{�Ʒi�S�`�W۲:ư:]�/6�<}: dUoko��_J6eb5��qfL�zlïn�B�i��f-e։5yV(��<0X��'5s+xr�(.0E7z f|pT`WI��|`u1�נ 8eQO�|%^_V
'�W-N�F/*`5`-P�'ɋC�>T��S&Lm!~�%0 L���Dxsm~mqlwL�w�=
L2.eãErU���t�}7 fdZPh��s| �=%fT�8A�#;"w�?q�T��ݥ1e�˟d?��Y?`�tw�b䭼շd�?�?~܋n ?Y�̡;{�駠T��,Ao��1��@M��rt���x��w�ķk7ē�ˮqO/�òbݵg#�⟎�Z�.g ��DŢW\�gz@RCB(lߛh�F푂�ѰH��L68~܋.!,p[Z8��^䄲�m̃4>(CZPBZ!��K}M=�I�r9�ꊚbMk�@`¸�~�LDZ#@�O��^�a)qc�)�+p��x���L,pyБy3�Mt{iaj1fS�Y�h9�M!cb9�fj�P]O,b�Rky�KN�ߥt�c��
T
n �T�J�9t[`�ɣS#DVt�pU)
&
0Z`nh1�Ѻ9L}VŠ��F�Jk&p]�OJ;7�X6�.W@O[jkwfhDP"ͪD\`*z
1Qh
7p�K��cYBMGr8�+ە>A�4�lSKaZ$~�TRU�!�s��)8"�̶!nB�?ZA)rx�ߡ<�愇�ozȕժTjQ�ܣF +��鲻pgJn4rq�W�,<�,TOಈG=yԑ8mxΆJZP-F={N�;���Ttu_oHϚP6(Z<<}Q,턂R!F�'��70�cg%� �l9
sXxw[Mw5=(~�zb{L�]/��bWR^aw�#ᷭ� �khɓ sT3:q_ac�i*pm[*{3�e-<,�ν幉m�'X^sj?L\�saeI�M�&Yqۏ�o[ͳ�.04&0#�9���K?��� <�OSjX:?�K }+a�>�㑍Xp%U!7TQ�L�~MjMh9mfik84�x�c#^:��Q@�O@L%F�J �4�w�\��P�|�HS7O�R(?jUeqb+;Z75��/Ui_8AnJmݲY9�0��鄎 &=&
)<<]��
�r@JoIg8|<|6�ڈy�ki�$�Y� cMr//�\IxC#�6ޔkgv rF@Yj!u=(9q��a��:B�p�՛GF\5o^yE��@��ܝ����<�y�]N�Yz <
La,7�c'L$�EuE)
2k1wK�yvf�;�c삶Gpu/ـ
tS�
|9[CG)W��9Ĕ#MصJ;ּxsU��1"[W�'0�ឩ T1,0)�k�M(q�i+8?�OAa2Lkt2&z��X�C5KޝR>ɖàZEQ�t#ߛ��3,ȏ%n���KM byN��]ƒ�$�Bq0Ӝh6@2߰��b�JU(IhRW�|W
\g�ޕa)豪�ߕ)^&�;ee,%}�=Mȕ@��Z��Ȑq~�/�< �&O=lF(Xws̫иB;7AoMt=i]Z+rҼy'lkE/WQwIiyy}Ӻ��Rf&�E`9Y22 Wv)3S9�mꌸ4�Wd̀W.�}QX\m�kIz�0%lyї�5�1o&(6Mղ�r
Z/�j:ٙE֔fyS�M�-GcjXǤ\js���@1@C|m^6O{sCx_m\�9^f�B�7P~�(@y'�)�pp(?瀟�|OPi}E+Wh/oꭳr_+i]eC[�?v3ʿ@�2�>hz;c~0v���o�O���賝Amv�}"^e3(A2P(ʘ+�ʘ��ȟN|dȗk�3�ɠ.1.1�_/z/�)>Cr�}�}-f�f--m�%u$e!(odY��NoT�8'�\$^Je�YWa uuQ~��@y�Jɠ2,c3\.��2Kܿw2~2Am]vΒ
aq�ʍz�^S_xڜ薽pۭ]��nX_KG{1*�,xW& ��e���^>&c����˼$=)>w�槤I��xո]@&JRo-cENj9.~QxdB$h{�dZ#+m�DuLΎQUޜb>/�ydֺWWV�Wl�NA�m(�ϋ9y}³2iA}:�*+6�:�5Q3[� %ÈC?��8Л�4Cg6�'[�5}�NoM:R��N���?|Y&ƀY8'}R?аs7�3@�j<}�m̹qo.f߰-� t6EM+�+J9wWrHi3�""C�7�Q*R%}e`rX*V�&���K=3
��.=m^d fM-ϡ'�!�p<@>fJ-�@ P��1�=:aǬl*Y�ۼx�0l{|y�N
ڎy�@���7��J�,���{�sŨـD@Sǝ}g_�p1^`L�Ѱ!�,%sv[F0�
S|wNH�35�x' ?�3Εy�Gn�4@{4�M=�ɓ�2�}*ՅoO 0� hJ/.ӡGx7�#K�Q,V,%Xw�j�,�`O�`XC�,['l�ybb)mԿ+�H|r�[�l�21wH�P,CV}E&"0�;��Vӄ.ҡ/'"hzx#���"�n+[�R[i0��1yjq|
̸r^a��v],]32�
§On3 &�`T83>�/z�chd1Mk��+�͘P
zlۨ�\wrnC�k�x!ʮF)\Dœj@@rveN�tj'B�?|�c�_6�����b2OF:༓H_c'#EU'<4�`&�N�ϘK˙=) ˯sҝ`&<[tÄ-YRcm%^#%&aBc I�=�g����C�{)L9ꃧrS��Y`�_GBb� �+M
�
L8BZ}�M�>I�pW, {+2�_I�uZdzԦӱEm]kτ�x{p.B@�kev2*=��"��cX
=��
O�t ,�Mav;
���f�Y{6Dπj�
fyyU�� (pd+�'}L~N�0~NZ]�v0N9DEP!/;vm�)f��GNFp)N�<}q?٢�uK�ğopm�.�;�+C}^pgUvy*K*>`H�A1q)�i�[%:Ɛ�=-���)0�p,\f�Ѵ�(Fْ[0���f?")1��<&�wnEc�?�dtE��#b[p!@>PM&2R8WD
�Q)YBAł?�Vg;Y\)
3/�* '8BU(][�x[9�ċO'W<߶JP+jdV(l:�ؖ?^ c/p���Ķ`:�Vڕ*zYD1e~}=3�Ӳg(q",@P�pP�+�K�ei$Vit9�npS`�hvp#b� ��}�u+y!.��0�: .X=lP#nH[T�FM�®,:v` {^];=�k{!*kWЅnaT�x囸9m��@�>���{z��wn}C\��:1V`wY=g[8K cd.
,�$8jVI�{{a0��&iE-㨤t`C
v�_ʉ~ph;?�҈Y>A� wVǰ�YF!Ƨۅ7�'T�S*�4.v>Ͻn̯]2�xDh^N"�X=<,͇d'KWµ1_^5�El݃*�Ԉ�AyA@�`�V\3|f7tZ�S5gnB<]�SL��&j1Bi6a1�}bf�Y�W`2-�Z�.<�̳�(`�,��Lv"V�KJMΡmjP�0H6�c?p�f��W�@˽ŵ]�Ag"a?<#�/a_(�`y��ba*"e��}q$Y
|
Network Security & Hardware 
