You may have heard about the zero-day vulnerability in the Tor Browser that was disclosed yesterday. It’s a big deal, and not just because of the ethics of buying and selling undisclosed vulnerabilities. Many people who use Tor Browser do so because of the privacy and security protections it offers—protections that the vulnerability had threatened ever since it appeared.
The creator of NoScript, the browser extension with the vulnerability, released a new version within two hours of the disclosure—but said the vulnerability first appeared in May 2017. And the broker who disclosed the vulnerability said they had known about it for several months.
A zero-day vulnerability, in the end, is just a vulnerability. It isn’t necessarily more exploitable than any other weakness or flaw in your application; it doesn’t necessarily expose more of your or your customers’ sensitive data. So what makes it so special—and dangerous? Jonathan Knudsen, applications engineer with Synopsys Software Integrity Group, explains: