Chronology of a 0-Day Excel Vulnerability

Here is what we know:
1) Item number 7203336538 appeared on eBay on the 7th of December 2005 (Thanks to OSVDB for taking the snapshot).

2) A few hours later, the item was removed from eBay.

3) On the 9th of December 2005, the seller of the item, fearwall, has decided to change his name to smk778.

4) On the 12th of December 2005, the same day the bid should have ended, the following post appeared on Full Disclosure, 2x 0day Microsoft Windows Excel.

What can we learn from this chronology? quite a bit, but most are speculations.

The eBay item might or might not be, but coincidence are too strong here, the same one as the one revealed several days later.

The smk778 (fearwall) person might or not be related to the heapoverflow team/forum, as there appears to be no relations between the two, person and group (heapoverflow).

I hope more information will come to light about this issue, hopefully also from users reading this post and shedding more light on the subject, but the chronology shown here shows a clear path between vulnerability described in an eBay item and the latter full disclosure of the (possibly) a 0day Excel vulnerability.

  • Aviv Raff

    Heapoverflow’s vulns look like a null pointer, while the vuln appeared in eBay claims to allow remote code execution.
    Plus, Heapoverflow introduced two vulns. Fearless wanted to sell only one.

  • RiP

    As I was going thru the hex of bug1.xls and I came across the following text… “Marc Behar gives 0.01$ blowjob at ebay, gogogo !!!” I wonder who Marc Behar is?

  • Dave

    I went through the hex of both the files, as well, and I suspect Marc Behar is Fearless, from eBay. Also both files reference the phrase ‘Feuilles de calcul’ which translates from French to ‘Calculation leaves’. In each instance the phrase is followed by the ASCII character 3 (hex code 03). Helpful?

  • Pingback: SecuriTeam Blogs » Microsoft’s Real Test with Vista is Vulnerabilities