Key Takeaways
- 0.0.0.0-day exploit affects Chrome, Firefox, and Safari, but not on Windows.
- Vulnerability was disclosed in April, major browser companies working on patches.
- Chrome and Safari already implementing changes to block access; Firefox plans to in the future.
As reported in Forbes, some of the most popular browsers on the planet contain a security vulnerability that can allow hackers to access the private networks of businesses and homes. Cybersecurity firm Oligo found that it was possible for attackers to exploit this vulnerability by sending malicious requests to the 0.0.0.0 IP address of the target, which allowed them to gain access to their internal network.
This so-called 0.0.0.0-day exploit affects browsers including Chrome , Firefox, and Safari . However, Windows computers aren’t at risk; the vulnerability only affects computers running macOS or Linux. The companies behind the major browsers have been made aware of the vulnerability, and most of them have put plans into action to block access via 0.0.0.0. However, macOS and Linux users are currently still vulnerable.
Related
I tried 7 Chrome alternatives to see which browser is the best
If you feel like Chrome is a vampire draining data from your computer, there are alternative browsers. I tried these 7 to see what was the best.
The 0.0.0.0-day vulnerability uses a method that’s been an issue for 18 years
Security developments have mitigated the issue, but it remains vulnerable
firmbee-com / Unsplash/ Pocket-lint
A blog post on Oligo’s website provides information about how the vulnerability was discovered. It cites an 18-year-old bug report for Firefox in which a user claimed that public websites had been able to attack his router in the internal network.
.
Since that time, efforts have been made to block access to private networks from public websites. Google introduced the Private Network Access (PNA) specification which is designed to protect users against attacks on routers and other devices on private networks.
It works by restricting public websites from sending requests to more private local IP addresses, such as 127.0.0.1 or 192.168.1.1. However, Oligo discovered the 0.0.0.0 is not included in the list of IP addresses that are considered private or local.
There is good news if you’re a Windows user, however. The vulnerability only affects software that runs locally on macOS and Linux. Windows computers aren’t vulnerable in the same way.
Oligo was able to use 0.0.0.0 as the attack vector to execute the ShadowRay attack that targets a vulnerability in the Ray AI framework. By doing so, Oligo proved that browsers such as Safari, Firefox, and Chrome, as well as other Chromium browsers, have a serious security vulnerability that is currently still in place.
There is good news if you’re a Windows user , however. The vulnerability only affects software that runs locally on macOS and Linux. Windows computers aren’t vulnerable in the same way.
Apple and Google are working on patches
Mozilla is biding its time, however
Apple
When Oligo discovered the 0.0.0.0-day exploit in April, it disclosed the findings to the security teams of the browsers that are affected. The flaw has been acknowledged by the major browser companies, and most of them are working on implementing changes in their browsers to mitigate the vulnerability.
Chrome is rolling out a change that will block access to 0.0.0.0 for all Chrome and Chromium users. The first changes have been implemented in Chrome 128 and should be completed by Chrome 133.
For Safari users, Apple has made changes to WebKit that will block access to 0.0.0.0. These changes are due to be implemented in Safari 18, which is currently available in the beta release of macOS Sequoia . Older versions of macOS will also be able to upgrade to Safari 18 when it is released, ensuring that the 0.0.0.0-day loophole is closed.
However, if you’re a Firefox user, you may have to wait a little longer for a patch. Mozilla told Forbes that blocking 0.0.0.0 could cause servers that are using the address to break and that it has not yet imposed any restrictions on accessing 0.0.0.0. However, plans are ongoing to block 0.0.0.0 in the future.