Apple’s recent announcement about blocking malicious requests to the IP address 0.0.0.0 on macOS Sequoia is a significant step in bolstering browser security. This update will be a key feature of Safari 18, which will also be available for macOS Sonoma and macOS Ventura.
The move comes in response to a zero-day security vulnerability discovered by Israeli cybersecurity startup Oligo Security. The vulnerability, which allows malicious actors to access private data on a user’s internal private network, will be detailed at the DEF CON hacking conference in Las Vegas. Oligo Security’s Avi Lumelsky explained that exploiting this vulnerability could open a wide range of attack vectors by accessing the victim’s internal private network.
The researchers responsibly disclosed the vulnerability to major tech companies, including Apple, Google, and Mozilla. While Apple has confirmed that Safari in macOS Sequoia will block any website attempting to contact the 0.0.0.0 IP address, Google has announced similar plans for Chrome. However, Mozilla has yet to implement a fix for Firefox but is researching the issue. The vulnerability affects all major browsers, and the discovery traces back to a security issue report from 2006. Public websites could potentially execute code on a visitor’s hardware by targeting 0.0.0.0 instead of localhost/127.0.0.1, making it a critical flaw that needed addressing.
The loophole allowed hackers to exploit how browsers handle queries to the 0.0.0.0 IP address, redirecting these queries to other IP addresses, including “localhost,” often used to test in-development code. This redirection enabled hackers to collect private data and even run rogue code on servers. This exploit has been particularly problematic for macOS and Linux users, as Microsoft has blocked 0.0.0.0 on Windows. Following the vulnerability’s discovery, the Cupertino tech giant announced that it would block all attempts by websites to access 0.0.0.0 in the macOS Sequoia beta, with plans for future updates.
Apple’s proactive measures include updates to WebKit to block access to 0.0.0.0 and adding a check to the destination host IP address. Google and Mozilla are also taking steps to mitigate this issue, with Google rolling out updates for Chrome and Chromium-based browsers. While Mozilla’s response is still in progress, the company is working on changing the Fetch specification to block 0.0.0.0.
(via Forbes)