Mozilla wants advance disclosure of zero day exploited by FBI in Playpen case
Advance disclosure of vulnerability exploited by FBI is a security best practice, Mozilla said.
Mozilla has petitioned a federal district court in Washington to compel the Federal Bureau of Investigation (FBI) to disclose to it in advance a zero-day vulnerability in the Tor browser that authorities exploited to identify patrons of the Tor-based child pornography site Playpen.
Mozilla said in the court documents that “if a vulnerability is publicly disclosed before a company is notified, criminals can quickly mount attacks user the published information, resulting in the proliferation of malware that can threaten the security of individual, corporate and government networks.”
Lawyers for one of the accused in the Playpen case have filed a motion urging the court to dismiss the case if the government does not comply with a court order to reveal the technique it used or drop the charges.
Calling advance disclosure security a best practice that would allow “some time for the vulnerability to be fixed” before public disclosure, Mozilla noted the vulnerability exploited by the FBI likely relates to a flaw in its Firefox browser, which serves as the underpinnings for the Tor browser.
“If the exploit implicates Firefox, failure to disclose the vulnerability to Mozilla threatens to harm Mozilla, its developers and users,” the motion said, acknowledging that as a “gateway experience to the Internet,” web browsers have become “an attractive means of attacking” computers. “If it takes advantage of an unfixed vulnerability neither Mozilla nor the government would know if a third-party had received info to exploit the vulnerability until potentially widespread damage had occurred.”
Mozilla lobbied the court with assertions that it indeed has a legitimate interest and should be allowed to intervene or appear as amicus curiae in the case, citing as precedent the court's willingness to allow MIT and JSTORE to intervene in the United States vs. Swartz. The court let those two organizations “review and redact discovery materials concerning vulnerabilities in their computer networks before public disclosure.”