eBay closes auction for cracked Vista notebook
On the last day of the PWN-to-OWN competition held at the CabSecWest security conference, Shane Macauley of Security Objectives managed to exploit a vulnerability in Adobe's Flash player under Windows Vista SP1 to compromise the laptop. When he subsequently attempted to sell the computer at eBay on Monday evening, the auction site pulled the plug on him after a few hours, explaining that the auction violated the provider's rule that items on sale must not harm others.
A spokesperson for eBay told US media that the description of the article drew the attention of the company's security experts who monitor auctions. According to the New York Times, the exact wording was: "This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation [sic] would look like."
Macauley admitted in a conversation with The Register: "At least on the eBay item, I was being a little sensationalistic, but I was just trying to get a sale … By the time they would have gotten it, I'm positively sure it would be patched ... The reason i didn't say that outright (was) i wanted to … see what the market would pay …" But he assured readers that he did not intend to violate any competition rules that prohibit the publication of details of a security flaw before a patch has been provided.
Macaulay cracked the Vista notebook at CanSecWest along with his two friends Derek Callaway and Alexander Sotirov. The zero-day vulnerability in Adobe Flash that the trio exploited has not been made public, but has been reported to Adobe. No other information will be provided until the flaw has been fixed. Macauley says that the flaw affects 90 per cent of computers worldwide, not only those running the version of Vista installed on the notebook.
- EBay Yanks Sale of Laptop With Vista Attack Code, report from the New York Times