When it comes to cybersecurity issues, we Windows users are sometimes the butt of jokes. At least, that used to be the case. Still, if I had to take another lecture on why Linux or Mac systems are more secure, I could at least point to this article. Not always. Not always.
Oligo Security's research team discovered a 0.0.0.0 Day vulnerability affecting Google Chrome/Chromium, Mozilla Firefox, and Apple Safari browsers.
This vulnerability means that a public website using the .com domain can communicate with services running on the local network by using the IP address 0.0.0.0 instead of localhost/127.0.0.1.
If you are at least a Windows user, the good news is that Microsoft's operating system blocks 0.0.0.0 at the system level. That's a rare Microsoft security win for us. The bad news for the rest of us is that this loophole has allegedly been exploitable since 2006. This means that the loophole has been active as a cybersecurity vulnerability for an astonishing 18 years.
The percentage of websites communicating using 0.0.0.0 is reportedly on the rise; looking at Chromium's counter, Oligo has identified 0.015% of potentially malicious websites. This may not sound like a lot, but according to the team, as of August 2024, there are an estimated 200 million active websites.
This means that there are 100,000 possible websites communicating via that particular IP address, although it is currently unknown how many of them are using that functionality for malicious purposes.
Origo disclosed its findings to the security teams of the major affected browsers in April 2024, and the company acknowledged each of them and stated that changes are underway to plug the vulnerability.
However, it is up to the browser developers to implement each fix, and those fixes are being rolled out to different browsers at different times. Chrome has already blocked access to 0.0.0.0 (starting with Chromium 128), and Google plans to roll out this change gradually, to be completed with Chrome 133.
Apple-based browsers such as Safari use Webkit and have already blocked 0.0.0.0 since the report; for Mozilla Firefox, there is currently no immediate fix, but Mozilla is working on a 0.0.0.0 attempt to According to Oligi, "At some undetermined point in the future, 0.0.0.0 will be blocked by Firefox."
Call me a bit smug, but given the recent cybersecurity-related failures of Windows, I'll take any victory I can get. If you're a Windows PC user, it's finally time to climb the ladder of victory. Let's all get some rest in bed tonight.
Comments