A critical zero-day vulnerability [2], known as “000 Day,” has been discovered by researchers at Oligo Security [3] [4], affecting major web browsers like Chrome [3], Firefox [1] [3] [4] [5] [6] [7] [9] [10], and Safari [1] [3] [5] [7] [10].
Description
This flaw allows malicious websites to exploit harmless IP addresses such as 000 to breach local networks, potentially gaining access to sensitive services on devices running macOS and Linux. Hackers have been taking advantage of this vulnerability to access private data by sending requests to the 000 IP address. Apple has confirmed that Safari in macOS Sequoia will block any attempts to contact the 000 IP address [1], and Google is also planning to implement similar restrictions in Chrome. Mozilla [1] [4] [6] [7] [8] [9] [10], on the other hand, is currently researching the issue and has not yet announced plans to block these queries. Public websites using “.com” domains can communicate with local services and execute arbitrary code using 000 instead of localhost/127001 [9], bypassing Private Network Access restrictions [9]. Applications running on localhost [9], including local Selenium Grid instances [9], are vulnerable to remote code execution via 000 [9] [10]. To prevent attacks on private network endpoints from public websites [9], browser owners are expected to implement fixes to block 000 as a target IP, emphasizing the importance of secure server implementations. Google has already started blocking 000 requests in Chrome [8], with Apple [6] [7] [8] [10], Google [1] [4] [5] [6] [7] [8] [9] [10], and Mozilla collaborating on solutions to address this vulnerability. Apple is set to prevent attempts to hit 000 in the beta of macOS 15 Sequoia. While Windows systems are not susceptible to this exploit [7], Apple Macs and Linux machines are at risk [7]. Mozilla is currently working on a solution for Firefox [7], as blocking 000 could potentially lead to compatibility issues with servers using the address as a substitute for localhost [7]. Researchers are scheduled to present their findings at the DEF CON conference in Las Vegas [7]. Google plans to restrict access to IP address 000 in Chromium 128 [10], while Apple is releasing updates to WebKit to block access [10]. Mozilla has updated the Fetch specification but has not yet implemented restrictions due to compatibility concerns [10]. Oligo Security recommends utilizing Private Network Access headers [8], HTTPS [6] [8], and CSRF tokens to enhance security [8].
Conclusion
The discovery of the “000 Day” vulnerability highlights the importance of addressing security flaws in web browsers to protect sensitive data and prevent unauthorized access. Collaboration between major browser developers and security researchers is crucial in developing effective solutions to mitigate the risks posed by this vulnerability. Implementing recommended security measures, such as Private Network Access headers and HTTPS, can help enhance the security of local networks and prevent potential attacks. Moving forward, ongoing efforts to address compatibility concerns and implement restrictions on 000 will be essential in safeguarding against future exploits.
References
[1] https://www.macworld.com/article/2421205/apple-to-patch-decades-old-0-0-0-0-day-vulnerability-in-upcoming-safari-update.html
[2] https://www.tomsguide.com/computing/online-security/chrome-safari-and-other-browsers-vulnerable-to-0000-day-vulnerability-what-you-need-to-know
[3] https://cybersecuritynews.com/0-0-0-0-day/
[4] https://www.darkreading.com/cyberattacks-data-breaches/0000-day-flaw-puts-chrome-firefox-mozilla-browsers-at-rce-risk
[5] https://securityaffairs.com/166765/hacking/0-0-0-0-day-browsers-attack.html
[6] https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
[7] https://www.forbes.com/sites/thomasbrewster/2024/08/07/hackers-exploit-18-year-old-vulnerability-in-apple-google-and-mozilla-browsers/
[8] https://cyberscoop.com/browser-zero-day-oligo-security-0-0-0-0-day/
[9] https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html
[10] https://www.laptopmag.com/laptops/an-18-year-old-browser-exploit-leaves-macbooks-and-linux-laptops-vulnerable-but-a-fix-is-coming