Browser vulnerability can be used to breach local networks

By

Google and Apple make progress with fixes.

Security researchers have uncovered a browser vulnerability impacting MacOS and Linux users that can be used to breach local networks.

Browser vulnerability can be used to breach local networks

The vulnerability, reported to browser makers by Oligo Security, has been dubbed “0.0.0.0 Day” and “exposes a fundamental flaw in how browsers handle network requests”, the researchers said in a blog post.

“Oligo researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.”

Oligo said that the issue “stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardisation in the browser industry.”

It disclosed the vulnerability to Chromium, Firefox, Safari browser makers in April. 

“The browser teams at each company have acknowledged the security flaw and will work on changing the related standard, and will also implement browser-level mitigations,” the researchers wrote.

“Eventually, all browsers will block 0.0.0.0, but at the same time, the market demands a common standard to follow as well. 

“Due to the nature of the vulnerability and the complexity of the patch across browsers, it remains exploitable, allowing external websites to communicate with services on localhost.”

Oligo said that both Google and Apple have made changes.

“Chrome is blocking access to 0.0.0.0 (Finch Rollout) starting with Chromium 128. Google will gradually roll out this change over the next few releases, completing it by Chrome 133, at which point the IP address will be blocked completely to all Chrome and Chromium users,” Oligo noted.

“Apple [also] made breaking changes to WebKit that block access to 0.0.0.0.”

The researchers said there is “no immediate fix in Firefox” but that one “is in progress”. They added that 0.0.0.0 “will be blocked by Firefox… at an undetermined point in the future.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
0000oligo securitysecurity

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren’t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

"VoidProxy" PhishKit targets Google and Microsoft users

"VoidProxy" PhishKit targets Google and Microsoft users
First npm worm "Shai-Hulud" released in supply chain attack

First npm worm "Shai-Hulud" released in supply chain attack
Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip
Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?