The way around this is Whonix. You can't be totally sure there are no zero-days in your web browser, so you browse in a VM that's only connected to the Internet through ANOTHER VM and THAT VM is running Tor. So, the VM the web browser is running in doesn't know your MAC address and doesn't know your IP and has no way to get it.
Then, when you're done, you reset the entire VM to a known state ("snapshot") so that any virus they managed to installed can't stick around and probe for ways out of the VM jail.
This isn't perfect. Nothing is. They could find a 0-day in the Tor project software, or they could find a way to break out of the VM after they compromised Firefox, but this is still REALLY good protection.
And I have no problem with the FBI using malware to catch bad guys. Like others have said, the problem is (was?) with the Tor Browser, not with the FBI. They're just doing their job, and I applaud them for using all tools they have available.
Now, they "blew their cover" with this tool by using it, so this particular vulnerability won't ever work again. I hope it was worth it.
The endgame, of course, is going to be that the FBI doesn't have tools like this. Whonix, software like Whonix, and just plain better security practices in coding will make exploits like this rarer and rarer. Is that a good thing? I guess we'll see. If organized crime starts flourishing because of Internet anonymity, then I guess it's not a good thing. If not, it probably is. But, as long as law enforcement has a tool, it's their job to use it.