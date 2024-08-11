- An 18-year-old vulnerability called 0.0.0.0 day is being exploited by threat actors to bypass the security protocols of major browsers such as Google Chrome, Firefox, and Apple Safari.
- It compromises both Linux and macOS devices. Windows devices are safe.
- Although the vulnerability was disclosed in 2006, it’s yet to be fixed.
Researchers at Oligo Security have recently discovered an 18-year-old vulnerability called “0.0.0.0 Day” that can be used to bypass security protocols of major browsers such as Google Chrome, Firefox, and Apple Safari.
Although the problem was disclosed 18 years ago, it remains unresolved to this date. All three browsers have acknowledged the issue and said that they are working towards a solution. Until then, it looks like users are on their own.
Now, the good news is that it doesn’t affect Windows, only Linux and macOS are at risk. So a lesser number of people will be impacted.
The consequences of this vulnerability are severe and both individuals and organizations are equally at risk.
And not just browsers, many applications are also at risk. The researchers gave out a list of such vulnerable applications which includes Selenium Grid, Pytorch Torchserve, and Ray.
About the Vulnerability
The root cause of the 0.0.0.0 day vulnerability is the lack of standardization in security mechanisms across different browsers which allows public websites to communicate with local network services with the help of the “wildcard” IP address 0.0.0.0.
For those who don’t know, the IP address 0.0.0.0 is often used as a placeholder or default address. On the surface, it’s a seemingly harmless IP address. But in the wrong hands, it can be exploited to access local services.
The worst part is this vulnerability also bypasses Private Network Access (PNA) – a protocol designed by Google to prevent public websites from directly accessing endpoints inside private networks.
So what can web browsers do now? The answer is pretty simple. They’ll have to start blocking access to 0.0.0.0 completely so that there’s no direct link between private network endpoints and public websites.
Here’s what the top 3 browsers have done so far to contain the risk
Google Chrome
- Evolving Private Network Access (PNA)
- Blocking 0.0.0.0 from Chrome 128, fully effective by Chrome 133.
Apple Safari
- Now blocks 0.0.0.0 access
- Requests to all-zero IP addresses are blocked.
Mozilla Firefox
- Will soon implement PNA
- Fetch specification updated to block 0.0.0.0.
