Governance & Risk Management , Incident & Breach Response , Next-Generation Technologies & Secure Development

Mozilla Presses Government to Reveal Firefox Vulnerability

Millions of Users Could Be at Risk If Flaw Is Leaked

Mozilla wants the U.S. government to provide it with information about a possible unpatched vulnerability in its Firefox browser, which was used by the FBI as part of a large child pornography investigation.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

Mozilla filed a brief on May 11 in U.S. District Court for the Western District of Washington, saying it feared that early disclosure of the vulnerability would put millions of users at risk.

On Feb. 17, the federal court granted a motion asking for the disclosure of the vulnerability to the defense counsel of Jay Michaud, a middle school teacher who is charged in relation to Playpen, a now-shuttered child pornography website site. Mozilla's brief asks the court to require the government to disclose the information at least 14 days before the defense counsel receives it.

"Any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability," according to the brief.

Mozilla's filing comes as technology companies have increasingly clashed with the U.S. government over vulnerability disclosure and encryption.

Playpen Investigation

Two years ago, the White House pledged a greater commitment to the Vulnerability Equities Process, a framework set up six years ago for notifying companies about zero-day vulnerabilities.

In the child pornography case, the FBI used the vulnerability to gather evidence on tens of thousands of users of Playpen, which was a "hidden" website that used the Tor anonymity system. Tor, short for The Onion Router, routes Internet traffic through a network of proxy servers, making it difficult to discover a user's real IP address.

Hidden websites that use the Tor system have a ".onion" URL. Such sites can only be visited using the Tor browser, which is a special browser based on Firefox's open-source code.

Tor is widely used by activists, dissidents, journalists and others who want greater anonymity in their web browsing, but the system is equally utilized by those involved in illegal activity.

Controversially, the FBI controlled Playpen for almost two weeks early last year. The agency used the browser vulnerability to record the real IP addresses of those who visited Playpen in order to later identify them.

It's unclear if the vulnerability lies within the Firefox code base or is part of the additional code added into the browser for the Tor functions. Mozilla hopes to find out.

"Court-ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community," wrote Denelle Dixon-Thayer, Mozilla's chief of legal. "In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly."

Apple Vs. FBI II?

Mozilla's move adds to the friction between the U.S. government and technology companies over software flaws and encryption.

In February, Apple resisted a legal order that would have required it to create a customized version of iOS 9 in order to unlock the iPhone 5C of Syed Rizwan Farook, one of the San Bernardino mass shooters (see: FBI-Apple Aftermath: Finding the Elusive Compromise).

The U.S. government later said it had found a way to unlock the device without Apple's help, fueling speculation that a zero-day vulnerability had been found in the operating system that Apple didn't know about.

On May 11, FBI Director James Comey said the agency merely bought a tool from a company to crack the iPhone and not the software flaw itself, according to the Washington Post. Comey said the agency wasn't trying to avoid a review under the Vulnerabilities Equities Process, but it did not have enough knowledge of the method used, the publication reported.