Status of Submitted Vulnerabilities To MSRC

Bug Title: Microsoft Local Security Authority Subsystem Service (LSASS) Remote Memory Corruption.

• Affected software: Microsoft Local Security Authority Subsystem Service (LSASS)
• Type: Memory Corruption.
• Submitted: 15/09/2016
• Coordinated disclosure agreement expiration: 15/12/2016.
• Notes and updates:
  -Proof of concept code was sent on 17/09/2016, no confirmations or real updates were received since then.
  – 28/09/2016: Issue confirmed by MSRC, they are planning on releasing a patch on each affected platform.
  – MSRC informed the bug submitter that they are planning to release a patch on November 8, 2016, that is a full month in advance of the 3 months deadline.

Bug Title: SMBv2 Remote Memory Corruption.

• Affected software: Microsoft SMBv2.
• Type: Memory Corruption.
• Submitted: 25/09/2016. 
• Coordinated disclosure agreement expiration: 25/12/2016.
• Notes and updates:
  – MSRC is currently investigating the issue.
  – Microsoft confirmed the issue on 28/09/2016.
  – Bug submitter extended his coordinated disclosure agreement to 1 more month, due to certain circumstances around this issue.

Bug Title: Microsoft Active Directory PDC Remote Code Execution.

• Affected software: Microsoft Active Directory
• Type: Protocol Abuse
• Submitted: 09/12/2016
• Bug status: Implemented in Responder v2.3.2.2
• Notes and updates:
  – Proof of concept code was sent on 12/09/2016, Microsoft is planning to release a security fix “over the next few months”.
  – Additional proof of concept provided on 02/10/2016 leading to privilege escalation.