Mozilla Wants FBI To Disclose Possible Firefox Vulnerability

Mozilla asked a court to order the FBI to disclose a vulnerability the agency has been using to hack the Tor browser, which is based on Mozilla’s Firefox code. Mozilla believes the same vulnerability could be used by bad actors to attack potentially hundreds of millions of users.

Mozilla seems to take issue especially with the fact that the judge has already ordered the disclosure of the vulnerability to the defense attorneys in a criminal case, which means the FBI has disclosed the vulnerability to a third-party before the vendor of the product itself. This could lead to many others finding out about the vulnerability before the company has a chance to fix it.

The company thinks that although the FBI targeted the Tor browser and not Firefox itself, the vulnerable code may be part of Firefox, as well. The Tor browser is written on top of the enterprise version of Firefox (ESR), so a majority of the code is shared between the two browsers.

Mozilla argued in a filed brief that the court should follow the industry best practices around vulnerability disclosures and order the FBI to disclose vulnerabilities to the vendors first.

“To protect the safety of Firefox users, and the integrity of the systems and networks that rely on Firefox, Mozilla requests that the Court order that the Government disclose the exploit to Mozilla at least 14 days before any disclosure to the Defendant, so Mozilla can analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors,” said Mozilla in a filing to the court.

The company also believes that it’s both the companies’ and the government’s responsibility to ensure the safety of online users, especially when a vulnerability can affect millions of users. Mozilla may have a point here, especially in light of the Vulnerability Equities Process (VEP), which at least in theory, the FBI should be following when discovering major vulnerabilities.

The VEP, which was created in 2010, and supposedly started being enforced in 2014, requires that the government reveal vulnerabilities to technology companies if those vulnerabilities can have a significant impact on users’ security. However, the FBI tends to dodge complying with the VEP policy and has tried to find loopholes around it in the past. The FBI will likely try to fight Mozilla’s request again, but it will be up to the judge to ultimately make a decision on this issue.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • rv3392
    I read the title as "FBI asks Mozilla to disclose possible Firefox vulnerability" and was like, "Damn FBI always looking for thos vulnerabilities"
  • Nuckles_56
    I can certainly understand why Mozilla is unhappy with the FBI over this one and I do hope that Mozilla wins this one
  • Martell1977
    The real question is: Why is the FBI withholding the information? You would think they would turn it over without a court order...Guess I was naive in thinking it was just the NSA and CIA spying on the citizens.
  • AndrewJacksonZA
    The real question is: Why is the FBI withholding the information? You would think they would turn it over without a court order...Guess I was naive in thinking it was just the NSA and CIA spying on the citizens.
    I know you're being sarcastic, but you reminded me of this quote from J. Edgar Hoover, the first director of the FBI:
    "We are a fact-gathering organization only. We don’t clear anybody. We don’t condemn anybody." - Look magazine (14 June 1956).
  • mavikt
    The problem as I see it is that they've lost track of who they're working for; a thing commonly affecting politicians.. It's the tax payers salaries that gets shaved of in order keep these institutions running => They should be working for the common good!

    People working with these things and not complying should be sent to the breaking wheel (swe. 'Stegling', abandoned ca. 1841).
    I'm sorry I feel this way, but our public representatives somewhow doesn't seem to be working for the public good.
  • mavikt
    Wikipedia has great stuff on the matter:
    "Here the executioner gave him the first stroke. His cries were terrible. "O Jesus! Jesus, have mercy upon me!" This cruel scene was much lengthened out, and of the utmost horror; for as the headsman had no skill in his business, the wretch under his hands received upwards of fifteen several blows, with each of which were intermixed the most piteous groans, and invocations of the name of God. At length, after two strokes given on the breast, his strength and voice failed him. In a faltering dying tone, he was just heard to say, "Cut off my head!" and the executioner still lingering, he himself placed his head on the scaffold: in a word, after four strokes with an hatchet, the head was separated from the body, and the body quartered. Such was the end of the renowned Patkul: and may God have mercy on his soul!"
  • mavikt
    They just need incentive! Somehow public outcry doesn't seem to do the trick...
  • ifIwasarichman
    Typical of institutions like the FBI to blatantly try to obstruct and/or ignore the legal system, as well as company's and people's legal rights.
    I feel the same as Nuckles_56 in understanding why Mozilla is upset and hoping they win big time.
    There is nothing wrong with looking and finding vulnerabilities, but the first thing they should do id communicate with the company involved to at least alert them (so they can at least find a fix). If they have a verifiable valid reason to continue to use this access, it can be arranged between the company , the court and the enforcement institution.
    If they are just using this vulnerability to snoop for the sake of snooping, it should be stopped immediately.
  • gangrel
    The FBI doesn't believe in following the law when they think it would interfere with their efforts.

    Heck, I would be VERY dubious about the admissibility of any information they might obtain through this hack.