Oligo Security reports flaw affecting all browsers on Mac and Linux, dubbed "0.0.0.0 Day"

Oligo Security is raising awareness of a vulnerability dubbed "0.0.0.0 Day," which impacts all major web browsers on Mac and Linux.

The root of this issue lies in the inconsistent implementation of security mechanisms across different browsers, coupled with a lack of industry-wide standardization. Specifically, the IP address 0.0.0.0, often used as a placeholder or default address, can be exploited by attackers to communicate with local services, including those used for development, operating systems, and internal networks.

The vulnerability allows malicious websites to bypass browser security mechanisms and interact with services locally and can potentially lead to unauthorized access and remote code execution (RCE) on local services by attackers outside the network.

The vulnerability affects devices running macOS and Linux. Windows systems are not impacted because the 0.0.0.0 IP address is blocked at the operating system level. All major browsers are affected, including Google Chrome, Microsoft Edge, Safari, and Firefox.

Attackers can use 0.0.0.0 to bypass security mechanisms like Private Network Access (PNA) that prevent public websites from directly accessing endpoints on a private network.

Google has started blocking access to 0.0.0.0 with Chromium version 128, and this change will be fully rolled out by version 133. Apple has implemented changes in WebKit to block requests to the 0.0.0.0 IP address entirely. Firefox states that although PNA was not initially implemented in Firefox, the Fetch specification has been updated to block 0.0.0.0. A full implementation of PNA is expected in the future.

Ongoing exploitation campaigns, such as the "ShadowRay" attack, demonstrate the plausability of this vulnerability, underscoring the need for immediate attention and remediation by browser vendors.