Software Integrity


What’s so special about zero-day vulnerabilities?

What’s so special about zero-day vulnerabilities?

You may have heard about the zero-day vulnerability in the Tor Browser that was disclosed yesterday. It’s a big deal, and not just because of the ethics of buying and selling undisclosed vulnerabilities. Many people who use Tor Browser do so because of the privacy and security protections it offers—protections that the vulnerability had threatened ever since it appeared.

The creator of NoScript, the browser extension with the vulnerability, released a new version within two hours of the disclosure—but said the vulnerability first appeared in May 2017. And the broker who disclosed the vulnerability said they had known about it for several months.

A zero-day vulnerability, in the end, is just a vulnerability. It isn’t necessarily more exploitable than any other weakness or flaw in your application; it doesn’t necessarily expose more of your or your customers’ sensitive data. So what makes it so special—and dangerous? Jonathan Knudsen, applications engineer with Synopsys Software Integrity Group, explains:

What is a zero-day vulnerability?

A zero-day vulnerability is a rare and precious thing. When a bug is first found by a lucky researcher or a wily attacker, it is called a zero-day because no one, anywhere, has a defense for it. Eventually the zero-day vulnerability becomes widely known, either because a researcher disclosed it discreetly, a researcher disclosed it noisily, or the zero-day vulnerability gets exploited by malware. At this point the vulnerability is no longer a zero-day and becomes a known vulnerability; it can be added to all the reactive security products, such as antivirus software, firewalls, vulnerability scanners, and so forth.

What happens when someone finds one?

Zero-day vulnerabilities are valuable to groups wishing to perform offensive operations—including both cyber criminals and state-sponsored hacking groups. A researcher who finds a zero-day vulnerability has a few options:

  1. The researcher can responsibly disclose the vulnerability to the authors of the software, giving them time to fix the vulnerability and release a new version of the software before the vulnerability is publicly known.
  2. The researcher can sell the zero-day to anyone willing to pay for it. Cyber criminals and state-sponsored hacking groups are both possible customers, but the market is large enough that entire companies exist just to act as intermediaries. Thus, a researcher can sell a zero-day vulnerability without knowing anything about the eventual customer.

The recent disclosure of a bypass of the Tor Browser’s NoScript setting is an example of one way a zero-day becomes a known vulnerability. In this case, the organization that discovered the zero-day disclosed it directly on Twitter, choosing the timing to ensure that a new version of Tor that is not vulnerable is currently available.

Any vulnerability is a zero-day vulnerability if someone else finds it first.

Find and fix the flaws in your code.


More by this author