You may have heard about the zero-day vulnerability in the Tor Browser that was disclosed yesterday. It’s a big deal, and not just because of the ethics of buying and selling undisclosed vulnerabilities. Many people who use Tor Browser do so because of the privacy and security protections it offers—protections that the vulnerability had threatened ever since it appeared.
The creator of NoScript, the browser extension with the vulnerability, released a new version within two hours of the disclosure—but said the vulnerability first appeared in May 2017. And the broker who disclosed the vulnerability said they had known about it for several months.
A zero-day vulnerability, in the end, is just a vulnerability. It isn’t necessarily more exploitable than any other weakness or flaw in your application; it doesn’t necessarily expose more of your or your customers’ sensitive data. So what makes it so special—and dangerous? Jonathan Knudsen, applications engineer with Synopsys Software Integrity Group, explains:
A zero-day vulnerability is a rare and precious thing. When a bug is first found by a lucky researcher or a wily attacker, it is called a zero-day because no one, anywhere, has a defense for it. Eventually the zero-day vulnerability becomes widely known, either because a researcher disclosed it discreetly, a researcher disclosed it noisily, or the zero-day vulnerability gets exploited by malware. At this point the vulnerability is no longer a zero-day and becomes a known vulnerability; it can be added to all the reactive security products, such as antivirus software, firewalls, vulnerability scanners, and so forth.
Zero-day vulnerabilities are valuable to groups wishing to perform offensive operations—including both cyber criminals and state-sponsored hacking groups. A researcher who finds a zero-day vulnerability has a few options:
The recent disclosure of a bypass of the Tor Browser’s NoScript setting is an example of one way a zero-day becomes a known vulnerability. In this case, the organization that discovered the zero-day disclosed it directly on Twitter, choosing the timing to ensure that a new version of Tor that is not vulnerable is currently available.