Apple has closed a long-standing security vulnerability in Safari for macOS that has been present since the early days of Intel Macs. The exploit, which revolves around the IP address 0.0.0.0, was uncovered by researchers from Oligo Security and is being discussed at the ongoing Defcon hacking conference in Las Vegas from August 8 to 11, 2024.
Dubbed "0.0.0.0 Day," the vulnerability reveals a flaw in how browsers handle network requests, specifically how they interact with local services via the IP address 0.0.0.0. The flaw allows public websites to communicate with services running on a visitor's local network, which can lead to the execution of malicious code on the user's hardware. This issue has been around for many years, with reports of similar security concerns dating as far back as 2006.
The vulnerability affects all major web browsers, including Safari, Mozilla Firefox, and Google Chrome. For Safari, Apple has implemented changes in WebKit, the underlying engine of the browser, to block access to the 0.0.0.0 IP address. The update is part of Safari 18, which is included in the beta versions of macOS Sequoia. Apple has also added a verification step to ensure that requests to an IP address composed entirely of zeroes are blocked.
Similarly, Mozilla and Google are working on fixes for Firefox and Chrome, respectively. Mozilla has updated the Fetch specification to prevent access to 0.0.0.0, and Google is rolling out updates that will protect Chrome and other Chromium-based browsers from this vulnerability.
The Oligo Security team will provide more details about the "0.0.0.0 Day" vulnerability during their talk at Defcon, part of the AppSec Village on Saturday.
As cybersecurity threats continue to evolve, it's crucial for users to keep their software updated to protect against newly discovered vulnerabilities. Safari users are urged to ensure they have the latest version of the browser installed to safeguard their systems against potential attacks exploiting this flaw.