Mozilla wants to fix issue before disclosed to other parties

May 12, 2016 21:05 GMT  ·  By

The Mozilla Foundation has filed yesterday a motion with a US District Court in Tacoma, Washington, asking the judge to force the government to disclose a potential zero-day vulnerability in the Tor Browser, that may also affect Firefox.

The motion was filed in the case United States of America vs. Jay Michaud, which is one of the indictments of child pornography possession that were filed after the Playpen operation.

The FBI used the Firefox/Tor Browser zero-day in 2015

At the end of February and early March 2015, the FBI seized the Web server on which the "Preteen Videos—Girls Hardcore" Dark Web portal was running.

This website was a safe haven on the Dark Web where crooks were exchanging child pornography imagery. The FBI deployed a network investigative technique (NIT) on this server that helped it track down and charge over 137 US citizens.

One of them is Jay Michaud, who fought back against accusations and asked the judge to force the FBI to reveal the technical details in which they tracked him down, so his computer forensics experts could analyze their effectiveness.

The judge agreed to his request, and later court documents revealed the FBI was in possession of a zero-day vulnerability (unpatched security bug) in the TOR Browser.

Mozilla wants 14 days to patch the zero-day

The Tor Project built the Tor Browser on Firefox ESR (Extended Support Release), and technically, the Tor Browser zero-day could actually be a Firefox zero-day if the exploit affects some of the parts borrowed from Mozilla's browser.

The Foundation is now arguing that the FBI should disclose this security flaw to them first, allow its engineers 14 days to fix it, and then disclose it to Michaud's technical experts.

"Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community," Mozilla's Denelle Dixon-Thayer wrote yesterday on the Foundation's blog. "In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly."

Below is the Mozilla motion filed yesterday in court.