Major browser vendors scramble to patch 18-year-old security flaw in macOS and Linux, but Windows remains fully immune

Published:

We Windows users are sometimes the butt of the joke when it comes to cybersecurity. Or at least we often were. Still, if I hear one more lecture on why Linux or Mac systems are more secure, I’ll at least have this article to refer to. Not always, I’ll say. Not always.

The Oligo Security research team has “0.0.0.0 Day” vulnerability discovered which affects Google Chrome/Chromium, Mozilla Firefox and Apple Safari browsers, allowing websites to communicate with software running on macOS and Linux (via Hacker news).

The vulnerability means that public websites using .com domains can communicate with services running on the local network by using the IP address 0.0.0.0 instead of localhost/127.0.0.1.

- Advertisement -

The good news, at least if you’re a Windows user, is that Microsoft’s operating system blocks 0.0.0.0 at the system level. Hurray for Microsoft’s sometimes rarer-than-we-like security victory. The bad news for the rest of you is that this flaw has been exploitable since 2006, meaning it’s been an lively cybersecurity hole for an astonishing 18 years.

The percentage of sites communicating using 0.0.0.0 is said to be growing. By analyzing Chromium counters, Oligo identified 0.015% of sites that could potentially be malicious. That may not seem like a lot, but the team estimates that 200 million sites were lively as of August 2024.

There could potentially be 100,000 websites communicating through this particular IP address, but it is not yet known how many of them are using this capability for malicious purposes.

Oligo shared its findings with the security teams from each of the major browsers affected in April 2024. The company says each of them confirmed this and that work is underway to close the vulnerability.

However, it is up to browser developers to implement appropriate patches, and these patches are made available at different times in different browsers. Chrome is already blocking access to 0.0.0.0—starting with Chromium 128—and Google plans to phase this change in gradually, ending in Chrome 133.

Apple-based browsers such as Safari utilize Webkit, which already blocked 0.0.0.0. since the report. As for Mozilla Firefox, there is currently no immediate fix, but Mozilla has changed the Fetch specification to block 0.0.0.0 attempts. According to Oliga, “at some unspecified point in the future, 0.0.0.0 will be blocked by Firefox.”

Call me a little cocky, but given the recent high-profile cybersecurity failures involving Windows, I’ll take any victory I can get. If you’re a Windows PC user, it’s finally time for a victory lap. It’s not our fault, people, and we can sleep soundly in our beds tonight.

Related articles