Researchers at Israel-based cybersecurity firm Oligo have discovered a critical 18-year-old vulnerability that affects all major web browsers, including Googles Chromium, Mozilla Firefox, and Apples Safari, allowing attackers to breach local networks.
Dubbed 0.0.0.0 Day, this vulnerability bypasses web app security in all major browsers and interacts with services running on an organizations local web connection.
This interaction can potentially grant threat actors unauthorized access to sensitive information and, in some instances, even allow them to execute remote codeon local services.
In other words, the attackers could potentially access files, messages, and credentials, manipulate or steal data, interrupt operations, or install further malicious software, all from outside the data pipe.
However, it should be noted that this critical flaw only affects computers running Linux and macOS, and not Windows, as Microsoft blocks the IP address at the operating system level.
According to Avi Lumelsky, an AI security researcher at Oligo, public websites (like domains ending in .com) are able to communicate with services running on the local internet (localhost) and potentially execute arbitrary code on the visitors host by using the address 0.0.0.0 instead of localhost/127.0.0.1.
The issue stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the online window industry.
As a result, the seemingly innocuous IP address, 0.0.0.0, can become a powerful tool for attackers to exploit local services, including those used for development, operating systems, and even internal networks, Lumelskywrotein a security blog post.
Oligo also explains that it bypasses existing protection mechanisms like Cross-Origin Resource Sharing (CORS) and Private data pipe Access (PNA), which fail to prevent this dangerous activity.
Oligo security researchers have observed multiple threat actors exploiting this flaw, including campaign attacks such as ShadowRay and SeleniumGreed.
In ShadowRay, the campaign actively targeted AI workloads running locally on developers machines (Ray clusters), while in Selenium, the threat actors leveraged Selenium Grid public servers to gain initial access to organizations, using known Remote Code Execution (RCE) vulnerabilities.
In response to Oligos disclosure, the web surfing app developers are starting to take action to block access to 0.0.0.0 with Google Chrome, Mozilla Firefox, and Apple Safari:
Google Chrome: The worlds most popular web surfing app has decided to block access to 0.0.0.0 (Finch Rollout), starting with Chromium 128 via a gradual rollout and completing it with Chrome 133.At that point, the IP address will be blocked completely to all Chrome and Chromium users.
Mozilla Firefox: Firefox users might have to wait a bit longer for the patch, as Mozilla stated that blocking 0.0.0.0 could cause significant compatibility issues for servers using that address.
Hence, it has not yet imposed any restrictions on accessing 0.0.0.0 but has plans to do so in the future.
Apple Safari: Apple plans to block all attempts from websites to send queries to 0.0.0.0 with the public beta version of macOS Sequoia.
The update will be shipped with Safari 18 and is expected to be rolled out to macOS Sonoma and macOS Ventura
Until online window fixes arrive, Oligo suggests that app developers follow the below measures to protect local applications:
Read More
source: www.techworm.net
