Jump to content
Login new information ×
Login new information

Mozilla Urges FBI to Disclose Potential Firefox Security Vulnerability

Reefa

By Reefa
in Security & Privacy News

Recommended Posts

Reefa

Reefa

Posted
Posted

On Wednesday, Mozilla filed a motion asking the FBI to disclose a potential vulnerability in the Firefox browser that the bureau allegedly used to hack visitors of a child pornography site. The move is likely to trigger a fierce debate around the responsibility of governments to disclosure vulnerabilities used in investigations to affected companies.

 

“Absent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability,” James E Howard, an attorney for Mozilla, writes. Mozilla is also asking the FBI for confirmation of what Mozilla products, if any, the vulnerability affects.

 

“We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Denelle Dixon-Thayer, chief legal and business officer at Mozilla, elaborated in a blog post published Wednesday.

 

The filing was made as part of a case involving dark web child pornography site “Playpen.” In February 2015, the FBI took over Playpen and deployed a network investigative technique (NIT)—the agency's term for a hacking tool—in order to identify users of the site. In all, the FBI hacked over a thousand computers in the US, and over three thousand abroad.

 

In an affected case, a judge ordered the FBI to provide the full exploit code used to the defense under a protective order. That exploit, as Motherboard previously reported, may not have only affected the Tor Browser, which would have likely been used by Playpen users to connect to the site, but Firefox too.

 

“It makes no sense to allow the information about the vulnerability to be disclosed to an alleged criminal, but not allow it to be disclosed to Mozilla,” the filing reads,

 

Mozilla claims to have contacted the government asking for more information about the NIT, but has not been provided with any.

 

“Mozilla has contacted the Government about this matter but the Government recently refused to provide any information regarding the vulnerability used, including whether it affects Mozilla’s products,” Howard writes. In a comment previously provided to Motherboard, a Mozilla spokesperson said that “Mozilla has never received a vulnerability disclosure from FBI.”

 

The main thrust of Mozilla's argument is that if this potential vulnerability does affect Firefox, that puts hundreds of millions of users at risks; users who could be protected if Mozilla was given more information about the vulnerability, and then the opportunity to patch it if necessary.

 

“To protect the safety of Firefox users, and the integrity of the systems and networks that rely on Firefox, Mozilla requests that the Court order that the Government disclose the exploit to Mozilla at least 14 days before any disclosure to the Defendant, so Mozilla can analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors,” Howard writes. As the filing points out, Mozilla is used by ordinary citizens, corporations, and government entities alike, including the US, and on tablets, computers, and mobile phones.

 

Mozilla says it has reason to believe that the exploit used in the Playpen investigation relies on an active vulnerability in Firefox, pointing to testimony from an FBI agent, and the fact that the Tor Browser, which would have likely been used by visitors of Playpen, is heavily based on Firefox.

 

Mozilla, however, is concerned that the protective order currently in place for the defense's handling of the vulnerability is inadequate, considering the huge ramifications its exposure could have.

 

“The protective order does not contain restrictions on disclosing knowledge learned through examining NIT Protected Material. This alone marks a serious deficiency in the Protective Order as the damaging information about the vulnerability is likely something that someone can easily remember,” the filing reads, and points out more technical protections taken in other cases. From here, Mozilla argues that the protective order should be modified as well, to ensure that details of the vulnerability do not spill out into the public domain.

 

“The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed,” Dixon-Thayer continued in her blog post.

 

“If a vulnerability is publicly disclosed before a company is notified, criminals can quickly mount attacks using the published information,” the filing adds.

 

This is one of the most high profile cases to revolve around the issue of governments disclosing vulnerabilities to affected vendors. Recently, the FBI said it could not disclose a security issue used to brute-force entry into the San Bernardino iPhone, because the agency did not possess enough information to do so.

 

“Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly,” Dixon-Thayer added.

 

source

Link to comment
Share on other sites
  • Replies 3
  • Views 668
  • Created
  • Last Reply
steven36

steven36

Posted
Posted
3 hours ago, Reefa said:

 

The filing was made as part of a case involving dark web child pornography site “Playpen.” In February 2015, the FBI took over Playpen and deployed a network investigative technique (NIT)—the agency's term for a hacking tool—in order to identify users of the site. In all, the FBI hacked over a thousand computers in the US, and over three thousand abroad.

Good luck with this the courts  already tired and they rather the evidence not stand up in court than disclose this.  Feb 2015  Tor browser was based on 31.5.0 esr  even the ones from Jan were  based  on v31.4.0  they was alot of patching going on

https://blog.torproject.org/blog/tor-browser-403-released

https://blog.torproject.org/blog/tor-browser-404-released

you know how many holes they patched since then?  its  been a whole lot . Also most browsers leave holes in them like canvas fingerprinting  and   WRTIC  and never patch them so we have to find workarounds to plug there holes so why are they concerned  now ? Before the FBI used flash to exploit them . :)

Link to comment
Share on other sites
Reefa

Reefa

Posted
  • Author
Posted

More detail from  security week....

 

Quote

The ongoing battle over the Federal Bureau of Investigation’s (FBI) use of a zero-day in the Tor anonymity browser hit a new gear this week with Mozilla filing a brief to get access to the  vulnerability details.

 

The brief [PDF] filed with the U.S. District Court for the Western District of Washington, warns that “the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of this vulnerability.”

 

Tor, popular among web users for the privacy and anonymity features it offers, consists of a modified Mozilla Firefox web browser.

 

The open-source Mozilla now wants to make sure its own code isn’t implicated in the Tor zero-day that was used by the FBI in 2015 to unmask web users accessing child pornography content.

 

In a blog post, Mozilla Chief Legal and Business Officer Denelle Dixon-Thayer writes:

 

The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser. The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.

 

“If our code is implicated in a security vulnerability, [the] government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Dixon-Thayer added.

 

The Mozilla brief is urging the court to require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.

 

During the criminal case proceedings, Justice Robert J. Bryan ruled that the FBI to reveal the code it used to track the defendants but the government refused, arguing that the details of the exploit was not necessary for the defense’s case.

 

source

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...