Google Project Zero (GPZ) is refusing to give Microsoft further extensions on disclosing a Windows 10 authentication bug because it says a patch Microsoft delivered in the August 2020 Patch Tuesday update is incomplete.
One of the 120 security bugs Microsoft released patches for on Tuesday was CVE-2020-1509, which was reported to Microsoft on May 5 by GPZ Windows researcher James Forshaw.
The bug allows a remote attacker who’s already gained credentials for a Windows account on a network to elevate privileges after sending a specially crafted authentication request to the Windows Local Security Authority Subsystem Service (LSASS).