Chrome, Firefox, Safari patch 0.0.0.0 security hole (2024)

A years-old security oversight has been addressed in basically all web browsers – Chromium-based browsers, including Microsoft Edge and Google Chrome, WebKit browsers like Apple's Safari, and Mozilla's Firefox.

It can be – and reportedly has been – exploited by miscreants to get access to software services they shouldn't have access to. It affects the aforementioned browsers on macOS and Linux – and possibly others – but at least not on Windows.

A firm called Oligo Security flagged up the vulnerability this month and named it a 0.0.0.0 Day because it involves the 0.0.0.0 IPv4 address. And it appears at least some attackers have been abusing this flaw since at least the late 2000s – judging by this Mozilla Bugzilla thread from that era, which is still listed as open.

According to Oligo, each of the three browsers' teams have promised to block all access to 0.0.0.0 and also enact their own mitigations to close the localhost loophole.

The problem is as simple as this: If you open a malicious webpage in a vulnerable browser on a vulnerable OS, that page can fire off requests to 0.0.0.0 and a port of its choosing. And if you have servers or other services running locally on your box on that port, those requests will go to it.

So if you have some service running on your macOS or Linux workstation on port 11223, and you assume no one can reach it because it's behind your firewall, and that your big-name browser blocks outside requests to localhost, guess again because that browser will route a 0.0.0.0:11223 request by a malicious page you're visiting to your service.

It's quite a long shot, in terms of practical exploitation – but you wouldn't want to find out the hard way that some site hit your local endpoint by luck. In fact, it's wryly amusing this is a thing in 2024.

There are supposed to be security mechanisms in place to prevent external websites from reaching your localhost in this way. Specifically, the Cross-Origin Resource Sharing (CORS) specification, and then the more recent Private Network Access (PNA), which is used by browsers to distinguish between public and non-public networks, and fortify CORS by restricting outside sites' ability to communicate with servers on private networks and host machines.

The Oligo team, however, was able to bypass PNA. The researchers set up a dummy HTTP server running on 127.0.0.1 aka localhost, on port 8080, and was then able to access it from an external public site using JavaScript, by sending a request to 0.0.0.0:8080.

"This means public websites can access any open port on your host, without the ability to see the response," Oligo security researcher Avi Lumelsky reported.

  • 'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw
  • Trio of TorchServe flaws means PyTorch users need an urgent upgrade
  • Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware
  • Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

In response to this, Chrome will block access to 0.0.0.0 starting with Chromium 128, and Google will gradually roll out this change to be completed by Chrome 133. Apple has made changes to its WebKit open source software that block access to 0.0.0.0.

Mozilla doesn't have an immediate fix, and has not implemented PNA in Firefox. According to Olgio, Mozilla did change the Fetch specification (RFC) to block 0.0.0.0 following its report.

A Mozilla spokesperson sent The Register the following statement via email:

We are aware that there are services deployed to hosts or local networks that are vulnerable to attack from websites. These services rely on being inaccessible as their only means of defense. The CORS protocol contains safeguards against this risk, but those safeguards contain a number of key exclusions that were deemed necessary to avoid breaking pre-existing usage.

An unspecified address ("0.0.0.0" in IPv4 or "::" in IPv6) is sometimes usable as a means of accessing a service on a device in place of a "loopback" address of "localhost", "127.0.0.1", or "::1". Use of an unspecified address is therefore a specific case of this more general problem.

Mozilla is supportive of efforts to improve the security of these vulnerable services by improving the restrictions in CORS. However, we are aware that imposing tighter restrictions comes with a significant risk of introducing compatibility problems. As the standards discussion and work to understand those compatibility risks is ongoing, Firefox has not implemented any of the proposed restrictions. We plan to continue our engagement in that process.

According to Oligo, this research makes a strong case for PNA.

"Until PNA fully rolls out, public websites can dispatch HTTP requests using Javascript to successfully reach services on the local network," Lumelsky wrote. "For that to change, we need PNA to be standardized, and we need browsers to implement PNA according to that standard." ®

Chrome, Firefox, Safari patch 0.0.0.0 security hole (2024)

FAQs

How secure is Safari vs Firefox? ›

Safari and Firefox both have good privacy and security features. But Firefox also has built-in tools such as: Edit PDFs on the go within your Firefox browser window - no extra software needed.

What are Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and Google Chrome? ›

The most popular web browsers that are used today are Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, Apple Safari, and the Opera browser. These browsers are free and available for download and use. Web browsers allow users to view resources that are stored on a server.

Does Firefox have better security than Chrome? ›

When it comes to privacy and security features, Firefox offers everything Chrome does — plus more. Mozilla's Enhanced Tracking Protection (ETP) blocks intrusive trackers (e.g., cookies, fingerprints, and cryptomining scripts) by default.

What does Google Chrome, Internet Explorer, Mozilla Firefox, and Safari have in common? ›

The term "web browser," sometimes known as a "browser," refers to a programme used to access and view webpages. Microsoft Edge, Internet Explorer, Google Chrome, Mozilla Firefox, and Apple Safari are popular web browsers.

What is the safest browser to use? ›

Secure Browsers
  • Firefox. Firefox is a robust browser when it comes to both privacy and security. ...
  • Google Chrome. Google Chrome is a very intuitive internet browser. ...
  • Chromium. Google Chromium is the open-source version of Google Chrome for people who want more control over their browser. ...
  • Brave. ...
  • Tor.

Is Safari really safer than Chrome? ›

Safari is the default browser on all iOS devices as it's optimized for Apple's hardware and software, but nothing is stopping you from using Chrome. Safari is more secure and privacy-friendly than Chrome, but Chrome is faster and offers enhanced performance.

Is Chrome no longer the best browser? ›

Our verdict: Google Chrome is the best web browser. Google Chrome is fast and available on nearly every platform. It's our top pick in speed, as it goes head-to-head with Safari on our MacBook and Microsoft Edge on Windows. It's also a firm alternative if you don't want to use those native browsers.

What is the #1 best browser? ›

The 10 Best Browsers in 2024
  • Google Chrome. via Google Chrome. ...
  • Microsoft Edge. via Microsoft Edge. ...
  • Waterfox. via Waterfox. ...
  • DuckDuckGo. via DuckDuckGo. ...
  • Safari. via Safari. ...
  • Opera. via Opera. ...
  • Vivaldi. via Vivaldi. ...
  • Brave. via Brave. Brave was a refreshing change from the usual browser crowd.
6 days ago

Which browser does Microsoft recommend? ›

Microsoft Edge is the best browser for shopping with built-in tools like coupons, price comparison, price history, and cash back.

Why do people use Firefox instead of Google? ›

Why do people use Firefox instead of Chrome? Firefox is open-source software that prioritizes user privacy by minimizing data collection and enabling tracker blocking by default.

Who still uses Firefox? ›

It may not have the same old 30% market share but it did rank fourth with a desktop market share of 6.58% as of October 2022 with a whopping 210 million users by December 2022. Firefox is still one of the most popular browsers for desktop users, but not due to a lack of competition snapping at its heels.

Do I need antivirus with Firefox? ›

You do need an anti-virus application - period. What were you using before you installed Firefox? Firefox is a web browser as it does not come with a antivirus or a firewall. Firefox is a web browser as it does not come with a antivirus or a firewall.

Can I have both Firefox and Chrome? ›

Yes, you can run both Firefox and Chrome. However, one will need to be the default browser. For example, Windows will need to know what browser to use when opening links in programs. Certain programs may be coded to only use Internet Explorer, so it is a good idea to leave that installed.

What is Chrome Firefox Safari called? ›

A web browser is a software program that gives you access to the internet. It displays websites on your screen and lets you interact with them by entering texts and clicking links. A few of the different types of web browsers include Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge.

Can you have both Safari and Chrome? ›

Device Compatibility: Chrome

Chrome works on all major platforms including Android, Linux, iOS, macOS, and Windows. So, whether you're all-in on Apple products or prefer to mix things up, you can access your Chrome information across devices. Safari is limited to iOS and macOS devices.

Is Safari really secure? ›

Safari is strictly available on Apple products. Thus, if you use Windows or Android, this browser is unavailable. Issues with privacy-oriented features. Some features within the Safari browser might not be as private as assumed.

Is Safari safe from hackers? ›

While Safari includes various security features to protect your phone from hacking, it's still possible for hackers to gain access to your device through this app. In fact, it has happened many times before.

Is Firefox still the safest browser? ›

If you find an extension that is not actively monitored, you'd be best served by not installing it. All of these features come together to make Firefox one of (if not the) most secure of the mainstream browsers.

Which browser is not recommended to use? ›

According to a study done by researchers at Trinity College, Yandex and Edge are the two worst browsers for security. The study also found that Edge sends users' hardware ID, IP address, and location to back-end servers which over time can reveal your identity.

Top Articles
Latest Posts
Article information

Author: Greg Kuvalis

Last Updated:

Views: 5866

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Greg Kuvalis

Birthday: 1996-12-20

Address: 53157 Trantow Inlet, Townemouth, FL 92564-0267

Phone: +68218650356656

Job: IT Representative

Hobby: Knitting, Amateur radio, Skiing, Running, Mountain biking, Slacklining, Electronics

Introduction: My name is Greg Kuvalis, I am a witty, spotless, beautiful, charming, delightful, thankful, beautiful person who loves writing and wants to share my knowledge and understanding with you.