reflect that fact. AusCERT asks about Core's plans regarding the issue.
. 2008-04-28:
CERT/CC suggests that in light of the vendor statement one last effort
should be attempted, setting a date for publication one or two weeks
into the future and presenting the final drafts of the report to the vendor.
. 2008-04-28:
Core sets the advisory publication date to May 12th and indicates to the
three CERTs that the date is considered final unless concrete details
about a patch release schedule are communicated no later than May 8th.
Core sends MSRC notes taken during the conference call. Actions items:
. MSRC to provide workaround and mitigations and to follow-up on
issues demonstrated by the second PoC.
. Core to further investigate workarounds and mitigations and to
provide MSRC the final draft of the advisory before publication (by
Monday).
. 2009-06-04:
MSRC sends notes of the conference call. Official workarounds and
mitigating factors to be included in the Security Bulletin and link the
. 2010-02-02:
BlackHat presentation slides sent to MSRC
. 2010-02-02:
Final draft of the advisory sent to Microsoft. Vulnerability identifiers
requested from Mitre and SecurityFocus.com
. 2010-02-03:
CoreLabs Security Advisory CORE-2009-0625 published
. 2010-03-03:
MSRC requests a status update
. 2010-03-03:
Core replies that its still working on gathering more details to
finalize the final draft of the advisory and that as soon as that work
is completed it will be published. Core is currently working on two
tacks: 1- Identifying the root cause of the problem to have a more clear
understanding of the effects and potential mitigations other than
recommending users simply to not use Virtual PC. 2- Identifying cases of
previously disclosed vulnerabilities that would be more easily
advisory is re-scheduled to May 21th, that date is final.
. 2008-05-14: Vendor acknowledges reception of the last email and
appreciates that Core posponed the advisory publication date.
. 2008-05-20: Core send the final draft of the advisory to the vendor.
. 2008-05-21:
An edited and corrected final version of the advisory is sent to the
vendor.
http://code.google.com/p/android/issues .
. 2008-02-26: Core indicates that publication of CORE-2008-0124 has
been moved to March 3rd 2008, asks if an estimated date for the BMP fix
is available and if Core should file the reported and any future bugs
in the public issue tracking page.
. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to
the vendor as requested. Core requests for any additional comments or
statements to be provided by noon March 3rd, 2008 (UTC-5)
. 2008-03-01: Vendor requests publication to be delayed one day in
order to publish a new release of Android with a fix to the BMP issue.
. 2008-03-02: Core agrees to delay publication for one day.
for Feb. 25th. will indeed fix the bug. ii) Vendor commits by Feb. 13th.
to a fix release date for the remaining set of affected products. iii)
Vendor communicates any change to the Feb. 25th. release date by COB Feb
20th. and the new release date does not exceed 6 working days from the
currently scheduled date.
. *2008-02-22*: Final draft of CORE-2007-0930 sent to VMware's Product
Security Group. Any additional information to be included in the advisory
should be received by COB Friday February 22nd.
. *2008-02-25*: CORE-2007-0930 published.
*References*
advisory is re-scheduled to May 21th, that date is final.
. 2008-05-14: Vendor acknowledges reception of the last email and
appreciates that Core posponed the advisory publication date.
. 2008-05-20: Core send the final draft of the advisory to the vendor.
. 2008-05-21:
An edited and corrected final version of the advisory is sent to the
vendor.
for December 9th.
. 2008-11-11: Core informs the vendor that the patch was tested and
works on Office XP (i.e. the crash avoided) and confirms that it intends
to publish advisory CORE-2008-0228 on December 9th as previously
established by both parties.
. 2008-12-04: Core sends the final draft of the advisory to the vendor.
. 2008-12-09: Microsoft Security Bulletin MS08-072 is released.
. 2008-12-10: Advisory CORE-2008-0228 is published.
10. *References*
planned schedule on publication date included.
2007-11-21: Lotus Notes security acknowledges Core’s last email
2007-11-27: Email from Lotus Notes notifying of the release of the
Technote concerning this issue.
2007-11-27: Email from Core’s advisories team sent to Lotus Notes Security
with final draft of security advisory CORE-2007-0821
2007-11-27: CORE-2007-0821 advisory published
*Additional Information/ Resources*
[1] Lotus Staff, Worksheet File Formats, Addison-Wesley Longman Publishing
Co., Inc., Boston, MA, 1987.
query is basic functionality required of any DNS resolver. It is also a
*MUST* requirement of section 9.1 of RFC5452. Core indicates that it
will consult with Mitre to figure out if one, two or zero new CVE
identifiers should be used in reporting these bugs since CVE-2008-1447
may or may not be applicable for the first bug described in the
advisory. As soon as the final draft of the advisory is ready for
publication Core will send it to Microsoft as requested and ask for
comments or any official statement to be added to its Vendor Information
section.
. 2010-05-03:
