Key Takeaways
- The 0.0.0.0 day exploit affects Chrome, Firefox and Safari, but not Windows.
- The vulnerability was made public in April and major browser companies have been working on creating patches.
- Chrome and Safari have already implemented changes to block access, with Firefox expected to do so in the future.
As reported by Forbes, some of the most popular browsers on the planet contain security vulnerabilities that could allow hackers to access private networks at businesses and homes. Cybersecurity firm Oligo discovered that attackers could exploit the vulnerabilities to send malicious requests to a target’s 0.0.0.0 IP address, potentially gaining access to the internal network.
This so-called 0.0.0.0-day exploit affects the following browsers: chromium Firefox, and Safari However, Windows computers are not at risk. The vulnerability is MacOS Or Linux. The companies that make the major browsers are aware of this vulnerability and most of them have plans in place to block access via 0.0.0.0, but for now macOS and Linux users are still vulnerable.
Related
We tested seven alternatives to Chrome to see which one is best
If Chrome feels like a vampire sucking data from your computer, there are alternative browsers out there. We tried out these seven to see which one is best.
0.0.0.0-day vulnerabilities exploit techniques that have been a problem for 18 years
Security advances have mitigated this issue, but it remains a vulnerability.
firmbee-com/Unsplash/Pocket-lint
A blog post on the Oligo website provides information about how the vulnerability was discovered, citing an 18-year-old Firefox bug report in which a user claimed a public website was able to attack their router in their internal network.
Since then, there have been efforts to block access from public websites to private networks, and Google introduced the Private Network Access (PNA) specification, which is designed to protect users from attacks on routers and other devices on private networks.
It works by restricting public websites from sending requests to more private, local IP addresses such as 127.0.0.1 and 192.168.1.1. However, Oligo discovered that 0.0.0.0 is not included in the list of IP addresses that are considered private or local.
However, there’s good news for Windows users: the vulnerability only affects software running locally on macOS and Linux. Windows computers are not vulnerable in the same way.
Oligo used 0.0.0.0 as an attack vector to launch ShadowRay attacks targeting vulnerabilities in the Ray AI framework, thereby demonstrating that browsers such as Safari, Firefox, Chrome, and other Chromium browsers currently contain serious security vulnerabilities.
if you Windows users However, this vulnerability only affects software running locally on macOS and Linux: Windows computers are not vulnerable in the same way.
Apple and Google are working on a patch
Mozilla is biding its time
apple
Oligo discovered the 0.0.0.0-day exploit in April and disclosed their findings to the security teams of the affected browsers. The flaw has been acknowledged by major browser companies, most of which are working to implement changes to their browsers to mitigate the vulnerability.
Chrome is rolling out changes that will block access to 0.0.0.0 for all Chrome and Chromium users. The first change is: Chromium 128 and, Chromium 133.
For Safari users, Apple has made changes to WebKit to block access to 0.0.0.0. These changes are scheduled to be implemented in Safari 18, which is currently available in beta. macOS Sequoia Older versions of macOS can also be upgraded Safari 18 Once released, it will ensure that the 0.0.0.0 day loophole is closed.
Firefox users, however, may have to wait a little longer for a patch: Mozilla told Forbes that blocking 0.0.0.0 could cripple servers using that address, and that the company hasn’t yet put any restrictions on access to 0.0.0.0, although plans are in the works to block 0.0.0.0 in the future.
