Apple

Apple fixes ancient bug that also affects Chrome and Firefox

Apple will correct a bug in Safari 18 that has been in the browser for 18 years. However, the same problem can also be found in many other browsers and is sometimes used by attackers.

Localhost without security

Security researchers from OligoSecurity who discovered the bug and associated exploits, named it “0.0.0.0 Day”. This is because it is a zero-day vulnerability that can be exploited using the IP address 0.0.0.0. If you give a website a corresponding script, it can be used to smuggle foreign code onto a computer and execute it. The browsers use 0.0.0.0 in a similar way to localhost/127.0.0.1 – the only difference being that security routines when calling 127.0.0.1 ensure that no problematic code can be smuggled in. When using 0.0.0.0, these are missing because the address does not actually belong to the normal address space of the Internet protocol.

The first reports about the possibility of exploiting the resulting vulnerability were made as early as 2006, report the Oligo experts. They want to present their research on this at the Defcon hacking conference starting today in Las Vegas. However, the reports at the time were apparently not registered or taken seriously by the browser manufacturers, so knowledge of the bug was eventually forgotten and it was never fixed.

Windows not affected

The folks at Oligo have identified the problem in various browsers. Apple will release a fix with the next major operating system update. However, Mozilla has not yet found a solution for Firefox. The company stated that blocking 0.0.0.0 could cause servers that use the address as a replacement for localhost to fail. Chrome is also affected. However, only systems based on MacOS and Linux can be attacked via the vulnerability. Windows computers are not affected because Microsoft has decided to completely block 0.0.0.0 in its operating system.