close
close

0.0.0.0 Day: 18-year-old browser bug affects Linux and macOS

0.0.0.0 Day: 18-year-old browser bug affects Linux and macOS
Posted on | Posted on Theodore

The Oligo Security research team recently discovered a critical vulnerability, dubbed “0.0.0.0 Day,” affecting the Chromium, Firefox, and Safari browsers on macOS and Linux systems. This vulnerability allows malicious websites to bypass standard browser security protocols and interact with services running on an organization’s local network. Windows devices are not affected.

The anatomy of 0.0.0.0 day

The root cause of the 0.0.0.0 Day vulnerability is the inconsistent implementation of security mechanisms across browsers and the lack of standardization within the industry. Often perceived as harmless, the IP address 0.0.0.0 can be weaponized by attackers to exploit local services, including those used for development, operating systems, and internal networks.

The vulnerability is particularly dangerous because it allows public websites (such as those with .com domains) to communicate with services running on a user’s local network (localhost). By replacing the more common localhost or 127.0.0.1 with 0.0.0.0, attackers could potentially execute arbitrary code on the visitor’s computer.

clarity

Although this vulnerability was reported in 2008, it is still not fixed in major browsers such as Chrome, Firefox and Safari, leaving millions of users at risk. Attackers are actively exploiting the vulnerability to attack local services, demonstrating the impact and dangers of this bug in practice.

Browser responses

In response to the 0.0.0.0-day vulnerability, browser developers have taken steps to mitigate the risk, but due to the complexity of the issue, the vulnerability can still be exploited in the meantime.

Google Chrome and Chromium-based browsers

Google has led the charge with its Private Network Access (PNA) initiative to prevent websites from accessing private IPs like 127.0.0.1 via JavaScript when loading from public websites. However, the 0.0.0.0 Day vulnerability was able to bypass the PNA mechanism in Chromium, rendering it ineffective against this particular threat.

Following Oligo Security’s report, Google announced that it will block access to 0.0.0.0 starting with Chromium version 128. This change will be rolled out gradually over the next versions, with full implementation expected for Chrome 133. From that point on, the IP address will be completely blocked for all Chrome and Chromium browsers.

Apple Safari

Apple’s Safari, which is based on the open-source WebKit engine, has also taken steps to address the 0.0.0.0 Day vulnerability. In response to the report, Apple made breaking changes to WebKit, adding a check to block requests if the target host’s IP address is all zeros. These changes are now part of WebKit’s source code and significantly reduce the risk of exploitation for Safari users.

Firefox

Mozilla Firefox’s response to the 0.0.0.0 Day vulnerability was less immediate. Unlike Chrome and Safari, Firefox never restricted Private Network Access (PNA), meaning it was technically always vulnerable to this type of attack. However, after the disclosure, Mozilla prioritized implementing PNA and modified the Fetch specification to block 0.0.0.0.

While a fix is ​​being worked on, there is no immediate solution for Firefox users. At some point in the future, 0.0.0.0 will be blocked by Firefox, but the timeline for that fix is ​​still uncertain.

Diploma

Browsers are designed by nature to send requests to almost any HTTP server using JavaScript. When processing a cross-site response, the browser’s security mechanisms decide the appropriate action – whether to pass the response data to the JavaScript context or return a masked response or error.

However, with the 0.0.0.0 Day vulnerability, a single request is enough to cause significant damage and completely bypass these security measures. The impact of this vulnerability is far-reaching, affecting both individuals and organizations by exposing local services to external threats.

Sources for this article include a story from BleepingComputer.

The post 0.0.0.0 Day: 18-year-old browser bug affects Linux and macOS appeared first on TuxCare.

***This is a Security Bloggers Network syndicated blog from TuxCare written by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/0-0-0-0-day-18-year-old-browser-flaw-affects-linux-and-macos/


Rohan Timalsina

0.0.0.0 Tag, browser exploits, browser security, browser vulnerability, browser vulnerability, Chromium-based browsers, cybersecurity, Google Chrome, Linux & Open Source News, Linux security, localhost API exploitation, macOS vulnerability, Mozilla, network security, private network access, remote code execution, Safari, ShadowRay exploitation campaign

Leave a Reply

Your email address will not be published. Required fields are marked *