0.0.0.0 Day: 18-Year-Old Browser Flaw Affects Linux and macOS
Oligo Security’s research team recently uncovered a critical vulnerability dubbed the “0.0.0.0 Day” affecting Chromium, Firefox, and Safari browsers on macOS and Linux systems. This vulnerability allows malicious websites to bypass standard browser security protocols and interact with services running on an organization’s local network. It does not affect Windows devices.
The Anatomy of 0.0.0.0 Day
The root cause of the “0.0.0.0 Day” vulnerability lies in the inconsistent implementation of security mechanisms across different browsers and the lack of standardization within the industry. The IP address 0.0.0.0, often perceived as innocuous, can be weaponized by attackers to exploit local services, including those used for development, operating systems, and internal networks.
The vulnerability becomes particularly dangerous because it allows public websites (like those with .com domains) to communicate with services running on a user’s local network (localhost). by substituting 0.0.0.0 for the more commonly used localhost or 127.0.0.1, attackers can potentially execute arbitrary code on the visitor’s machine.
This vulnerability, despite being reported as early as 2008, has remained unresolved across major browsers like Chrome, Firefox, and Safari, leaving millions of users at risk. Attackers have been actively leveraging the vulnerability to target local services. demonstrating the real-world impact and danger of this flaw.
Browser Responses
In response to the 0.0.0.0 Day vulnerability, browser developers have taken steps to mitigate the risk, but the complexity of the problem means that the vulnerability remains exploitable in the meantime.
Google Chrome and Chromium-Based Browsers
Google has led the charge with its Private Network Access (PNA) initiative, aimed at preventing websites from accessing private IPs like 127.0.0.1 via JavaScript when loaded from public websites. However, the 0.0.0.0 Day vulnerability managed to bypass the PNA mechanism in Chromium, rendering it ineffective against this specific threat.
Following Oligo Security’s report, Google announced that it would block access to 0.0.0.0, starting with Chromium version 128. This change will be gradually rolled out over the next few releases, with full implementation expected by Chrome 133, at which point the IP address will be blocked entirely for all Chrome and Chromium browsers.
Apple Safari
Apple’s Safari, which is based on the open-source WebKit engine, has also taken steps to address the 0.0.0.0 Day vulnerability. In response to the report, Apple made breaking changes to WebKit, adding a check to block requests if the destination host IP address is all zeroes. These changes are now part of WebKit’s source code, significantly reducing the risk of exploitation for Safari users.
Mozilla Firefox
Mozilla Firefox’s response to the 0.0.0.0 Day vulnerability has been less immediate. Unlike Chrome and Safari, Firefox has never restricted Private Network Access (PNA), which means it was technically always susceptible to this kind of attack. However, following the disclosure, Mozilla has prioritized implementing PNA and has changed the fetch specification to block 0.0.0.0.
While a fix is in progress, there is no immediate solution available for Firefox users. At some point in the future, 0.0.0.0 will be blocked by Firefox, but the timeline for this update remains uncertain.
Conclusion
Browsers are inherently designed to send requests to almost any HTTP server using Javascript. When handling a cross-site response, browser security mechanisms decide the appropriate action—whether to propagate the response data to the JavaScript context or to return a masked response or error.
However, with the 0.0.0.0 Day vulnerability, a single request is enough to cause significant damage, bypassing these security measures entirely. This vulnerability’s impact is far-reaching, affecting both individuals and organizations by exposing local services to external threats.
The sources for this article include a story from BleepingComputer.