FBI May Be Hoarding a Firefox Zero-Day

An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.

Re:well, how many does the FBI have?

NSA just buys them all the time on the black market.
FBI could do the same, it wouldn't even be that expensive.

Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.

Re:well, how many does the FBI have?

[rtb61]

I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.

This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.

Re:well, how many does the FBI have?

[phantomfive]

Given that it's Firefox, they probably have as many zero-days as they want. Firefox doesn't seem to take security seriously, for whatever reason.

Re:well, how many does the FBI have?

[tlhIngan]

Why bother?

Consider Pwn2Own removed Firefox from a contenders list for being "too easy" I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.

Heck, there's tons of bugs that are reported and haven't been fixed at all...