This list is intended to give vague information about submitted bugs, but important information about communication process and timeline.
Bug Title: Microsoft Local Security Authority Subsystem Service (LSASS) Remote Memory Corruption.
- Affected software: Microsoft Local Security Authority Subsystem Service (LSASS)
- Type: Memory Corruption.
- Submitted: 15/09/2016
- Coordinated disclosure agreement expiration: 15/12/2016.
- Notes and updates:
-Proof of concept code was sent on 17/09/2016, no confirmations or real updates were received since then.
- 28/09/2016: Issue confirmed by MSRC, they are planning on releasing a patch on each affected platform.
- MSRC informed the bug submitter that they are planning to release a patch on November 8, 2016, that is a full month in advance of the 3 months deadline.
Bug Title: SMBv2 Remote Memory Corruption.
- Affected software: Microsoft SMBv2.
- Type: Memory Corruption.
- Submitted: 25/09/2016.
- Coordinated disclosure agreement expiration: 25/12/2016.
- Notes and updates:
- MSRC is currently investigating the issue.
- Microsoft confirmed the issue on 28/09/2016.
- Bug submitter extended his coordinated disclosure agreement to 1 more month, due to certain circumstances around this issue.
Bug Title: Microsoft Active Directory PDC Remote Code Execution.
- Affected software: Microsoft Active Directory
- Type: Protocol Abuse
- Submitted: 09/12/2016
- Bug status: Implemented in Responder v2.3.2.2
- Notes and updates:
- Proof of concept code was sent on 12/09/2016, Microsoft is planning to release a security fix "over the next few months".
- Additional proof of concept provided on 02/10/2016 leading to privilege escalation.