Security researchers have disclosed a vulnerability that affects all modern browsers. What makes it particularly worrisome is that it has been known for 18 years; that goes back to a time before Google even thought of creating Chrome.
The details:
- The researchers call the issue 0.0.0.0 Day.
- It allows malicious websites to interact with services that run on the local network.
- This could lead to unauthorized access or remote code execution attacks on local services from outside the local network.
In other words: the security issue allows the circumvention of security protections by malicious websites. Chromium’s Private Network protection does not protect against this, neither does Firefox. Apple’s Safari browser was also vulnerable, but the company has released a patch that blocks access to 0.0.0.0.
The blog post provides a technical description of the vulnerability. It also explains why it took this long to react on it.
The researchers found a Mozilla bug listing that dates back 18 years. It shows that the developers were not sure whether the reported bug was a security issue, a bug, or no flaw at all.
How Google, Mozilla, and Apple plan to react
Researchers at Oligo disclosed the vulnerability to security teams of major browsers in April 2024.
- Google: plans to block access starting in Chrome 128 and finalize the rollout by Chrome 133. Other Chromium-based browsers will get this as well.
- Apple: has implemented a change that blocks destination host IP addresses, if the IP is all zeroes.
- Mozilla: fix is in progress. Firefox is special, as it never restricted Private Network Access in first place. Will implement Private Network Access, but no ETA on this one.
The fixes are important, but so is standardization of the issue. HTTP requests to 0.0.0.0 should be added to security standards according to the security researchers.
Closing Words
The security researchers note that use of 0.0.0.0 on the Web is on the rise. They use counters provided by Chromium for this. According to those, it is used by 0.015% of all websites. While that may not sound like much, it equates to roughly 100,000 public websites that may communicate with 0.0.0.0.
Malicious actors may exploit the issue in their attacks. Oligo points out that ShadowRay, a recent attack that targets AI workloads, could be executed from browsers using 0.0.0.0 as the attack vector.
It is unclear if browser extensions such as Port Authority for Firefox provide protection against this kind of attack.
What is your take on this new vulnerability? Seems that there is always something new, or shall I say old, that is affecting the security of browsers. (via Born)
In my usually suspicous manner I have to wonder if the true goal here is to prevent the blocking of advertisment.
0.0.0.0 is used in hosts files to block access to sites the user considers malicious.
I used to get a premade hosts file from https://winhelp2002.mvps.org/hosts.htm but the site operator stopped updating the file in 2021 due to health issues. Here’s a quote from that site.
“Important Note: The HOSTS file now contains a change in the prefix in the HOSTS entries to “0.0.0.0” instead of the usual “127.0.0.1”.
This was done to resolve a slowdown issue that occurs with the change Microsoft made in the “TCP loopback interface” in Win8.1.”
And this vulnerability ‘only’ affects browsers on MacOS and Linux. Somehow Not Windows!
Thanks for the article, Martin.
I think this issue can be prevented by blocking 0.0.0.0 access in browser ad filter lists.
Addendum: uBlock Origin’s Block Outsider Intrusion into LAN list should already protect browsers from this attack.
From what I’ve read elsewhere on the subject Windows isn’t vulnerable to this issue. Yes, it affects all browsers, but only on the macOS and Linux OS. Or at least that’s what it says on the Oligo Security site which first broached the subject: https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
That would seem to be confirmed by The Register site: https://www.theregister.com/2024/08/09/0000_day_bug/ and a few other sites I’ve come across.
So nothing to be concerned about if you’re a Windows user.