Apple and Google are fixing ‘0.0.0.0-day’ security vulnerability

As reported in Forbes, some of the most popular browsers on the planet contain a security vulnerability that can allow hackers to access the private networks of businesses and homes. The cybersecurity firm Oligo found that it was possible for attackers to exploit this vulnerability by sending malicious requests to the 0.0.0.0 IP address of the target, which allowed them to gain access to their internal network.

This so-called 0.0.0.0-day exploit affects browsers including Chrome , Firefox, and Safari . However, Windows computers aren’t at risk; the vulnerability only affects computers running macOS or Linux. The companies behind the major browsers have been made aware of the vulnerability, and most of them have put plans into action to block access via 0.0.0.0. However, currently macOS and Linux users are still vulnerable.

The 0.0.0.0-day vulnerability uses a method that’s been an issue for 18 years

Security developments have mitigated the issue, but it remains vulnerable

firmbee-com / Unsplash/ Pocket-lint

A blog post on Oligo’s website provides information about how the vulnerability was discovered. It cites an 18-year-old bug report for Firefox in which a user claimed that public websites had been able to attack his router in the internal network.

Since that time, efforts have been made to block access to private networks from public websites. Google introduced the Private Network Access (PNA) specification which is designed to protect users against attacks on routers and other devices on private networks.

It works by restricting public websites from sending requests to more private local IP addresses, such as 127.0.0.1 or 192.168.1.1. However, Oligo discovered the 0.0.0.0 is not included in the list of IP addresses that are considered private or local.

Oligo was able to use 0.0.0.0 as the attack vector to execute the ShadowRay attack that targets a vulnerability in the Ray AI framework. By doing so, Oligo proved that browsers such as Safari, Firefox, and Chrome, as well as other Chromium browsers, have a serious security vulnerability that is currently still in place.

There is good news if you’re a Windows user , however. The vulnerability only affects software that runs locally on macOS and Linux. Windows computers aren’t vulnerable in the same way.

Apple and Google are working on patches

Mozilla is biding its time, however

Apple

When Oligo discovered the 0.0.0.0-day exploit in April, it disclosed the findings to the security teams of the browsers that are affected. The flaw has been acknowledged by the major browser companies, and most of them are working on implementing changes in their browsers to mitigate the vulnerability.

Chrome is rolling out a change that will block access to 0.0.0.0 for all Chrome and Chromium users. The first changes have been implemented in Chrome 128 and should be completed by Chrome 133.

For Safari users, Apple has made changes to WebKit that will block access to 0.0.0.0. These changes are due to be implemented in Safari 18, which is currently available in the beta release of macOS Sequoia . Older versions of macOS will also be able to upgrade to Safari 18 when it is released, ensuring that the 0.0.0.0-day loophole is closed.

However, if you’re a Firefox user, you may have to wait a little longer for a patch. Mozilla told Forbes that blocking 0.0.0.0 could cause servers that are using the address to break and that it has not yet imposed any restrictions on accessing 0.0.0.0. However, plans are ongoing to block 0.0.0.0 in the future.