This list is intended to give vague information about submitted bugs, but important information about communication process and timeline.

Bug Title: Microsoft Local Security Authority Subsystem Service (LSASS) Remote Memory Corruption.

  • Affected software: Microsoft Local Security Authority Subsystem Service (LSASS)
  • Type: Memory Corruption.
  • Submitted: 15/09/2016
  • Coordinated disclosure agreement expiration: 15/12/2016.
  • Notes and updates:
    -Proof of concept code was sent on 17/09/2016, no confirmations or real updates were received since then.
    – 28/09/2016: Issue confirmed by MSRC, they are planning on releasing a patch on each affected platform.
    – MSRC informed the bug submitter that they are planning to release a patch on November 8, 2016, that is a full month in advance of the 3 months deadline.

Bug Title: SMBv2 Remote Memory Corruption.

  • Affected software: Microsoft SMBv2.
  • Type: Memory Corruption.
  • Submitted: 25/09/2016. 
  • Coordinated disclosure agreement expiration: 25/12/2016.
  • Notes and updates:
    – MSRC is currently investigating the issue.
    – Microsoft confirmed the issue on 28/09/2016.
    – Bug submitter extended his coordinated disclosure agreement to 1 more month, due to certain circumstances around this issue.

Bug Title: Microsoft Active Directory PDC Remote Code Execution.

  • Affected software: Microsoft Active Directory
  • Type: Protocol Abuse
  • Submitted: 09/12/2016
  • Bug status: Implemented in Responder v2.3.2.2
  • Notes and updates:
    – Proof of concept code was sent on 12/09/2016, Microsoft is planning to release a security fix “over the next few months”.
    – Additional proof of concept provided on 02/10/2016 leading to privilege escalation.

By admin