Mozilla on Wednesday filed a motion with the U.S. District Court in Tacoma, Wa., asking the government to disclose a vulnerability it exploited in the Tor Browser and Firefox. The FBI used the zero-day to hack a child pornography site and de-anonymize users visiting the site using the Tor Browser.
Mozilla’s motion asks that the government disclose the vulnerability at least 14 days before it fulfills a previous motion granted to the defendant Jay Michaud requiring the FBI to hand over details on the exploit to the defense team under a protective order.
“Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community,” wrote Mozilla chief legal and business officer Denelle Dixon-Thayer. “In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.”
The Tor Browser is partially built on open source Firefox code, but also includes proxy code that encrypts and anonymizes users’ sessions as they move about the Internet. Mozilla argues that the FBI had previously exploited the Tor Browser and that it did so in this case, despite a refusal from the government to acknowledge that it targeted Tor/Firefox code.
“Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability,” Mozilla said in its motion. “This risk could impact other products as well. Firefox is released under an open source license. This means that as Firefox source code is continuously developed, it is publicly available for developers to view, modify, share, and reuse to make other products like the Tor Browser.”
Michaud, a 62-year-old teacher, was arrested last July in Seattle and was charged with possession of child pornography he allegedly downloaded from a dark web site called Playpen. The Washington Post reported that FBI seized the site’s servers and in February 2015 launched the exploit on the site leading to charges against 137 people. On Feb. 17, 2016, Michaud’s defense team was granted a motion compelling the government to produce evidence related to the Network Investigative Technique (NIT) it deployed.
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” Dixon-Thayer said. “The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.”
This case thrusts the government stockpiling and use of zero day exploits back into the spotlight, scant weeks after it is thought to have purchased an exploit from a third party to hack into an iPhone belonging to one of the San Bernardino terrorists. The FBI has not shared details of how it cracked the phone with Apple, and if it did indeed purchase an exploit for a previously unpatched vulnerability, that flaw remains exposed to others.
Last September, the government did hand over a redacted version of its Vulnerabilities Equities Process, a document describing its policy on vulnerability use and disclosure. The version of the document has many large sections that are redacted, including the specific steps that agencies go through when evaluating whether to release information about a newly discovered vulnerability.
“Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible,” Dixon-Thayer said. “We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.”
