Posted on 08/09/2024 11:47:02 AM PDT by ShadowAce
We Windows users are sometimes the butt of the joke when it comes to cybersecurity issues. Or at least, we often used to be. Still, if I receive one more lecture on why Linux or Mac systems are more secure, I'll at least have this article to point to. Not always, I shall say. Not always.
Oligo Security's research team has discovered a “0.0.0.0 Day” vulnerability that affects Google Chrome/Chromium, Mozilla Firefox and Apple Safari browsers, enabling websites to communicate with software running on MacOS and Linux systems (via The Hacker News).
The vulnerability means public websites using .com domains are able to communicate with services running on the local network by using the IP address 0.0.0.0 instead of localhost/127.0.0.1.
The good news, if you're a Windows user at least, is that Microsoft's OS blocks 0.0.0.0 at a system level. Hooray for the sometimes-rarer-than-we'd-like Microsoft security win. The bad news for the rest of you is that this loophole is said to have been exploitable since 2006, which means it has been an active cybersecurity vulnerability for an astonishing 18 years.
It's said that the percentage of websites that communicate using 0.0.0.0 is on the rise. Looking at Chromium counters, Oligo has identified 0.015% of websites that could potentially be malicious. That might not sound like a lot, but according to the team, there are an estimated 200 million active websites as of August 2024.
That's potentially 100,000 websites communicating over that particular IP address, although how many of them are using that capability for nefarious purposes is currently unknown.
Oligo disclosed its findings to security teams from each of the major browsers affected in April 2024, which the company says was acknowledged by each, and that changes are underway to plug the vulnerability.
However, it's up to browser developers to implement their respective fixes, and those fixes have been rolling out to different browsers at different times. Chrome is already blocking access to 0.0.0.0—starting with Chromium 128—and Google plans to gradually roll out the change with completion set for Chrome 133.
Apple-based browsers like Safari use Webkit, which has already blocked 0.0.0.0. since the report. As for Mozilla Firefox, there is currently no immediate fix, but Mozilla has changed the Fetch specification to block 0.0.0.0 attempts. According to Oligi, "at an undetermined point in the future, 0.0.0.0 will be blocked by Firefox."
Call me slightly smug, but given some high-profile Windows cybersecurity-related failures of late I'll take any win I can get. If you're a Windows PC user, it's finally time to take a victory lap. This one's not on us, folks, and we can rest easy in our beds tonight.
Well, I sure thought this was a Bee article!
Slightly off subject, but Apple commercials are running saying that their Safari browser is “secure” or something like that. What’s up with that?
“Oligo Security’s research team has discovered a “0.0.0.0 Day” vulnerability that >affects Google Chrome/Chromium, Mozilla Firefox and Apple Safari browsers<, enabling websites to communicate with software running on MacOS and Linux systems (via The Hacker News).”
Isn’t this the fault of the Browser allowing it not the OS? Isn’t it the responsibility of a browser to keep the OS it was versioned for insulated? Pretty hard to pin this one on the OS because the browser devs left a hole open in particular versions.
If one OS blocks it, it's pretty hard to NOT blame the OS...
It does seem like a browser exploit though.
one victory lap finally, after years and decades of being repeatedly lapped.
>> If you’re a Windows PC user, it’s finally time to take a victory lap.
I recommend making it a short lap
like china going to the moon, in terms of timeliness.
I am one of those that don't touch Apple products, but it looks they already fixed it.
Apple-based browsers like Safari use Webkit, which has already blocked 0.0.0.0. since the report.
thanks to ShadowAce for the ping!
Everything is secure compared to windows.
>80% of all viruses target Windows because that’s what most people use and they have most the market share for desktops. Not a lot of viruses being written today targeting AtariTOS for some odd reason.
There are >10,000 viruses out there and it’s a matter of degrees, not all or nothing.
From DOS to Windows 11 Microsoft’s software is a hackers paradise.
> we (Windows folks) can rest easy in our beds tonight.
enjoy it while it lasts
“we can rest easy in our beds tonight”
I’ve supported just about every Windows OS since 3.x running inside DOS. Given Microsoft’s security history, I wouldn’t recommend resting easy tonight or any night.
“It does seem like a browser exploit though. “
That is how I see it. This claims it utilizes the browsers. So this means there are discrepancies in the browser work they did for one OS version compared to the work they did for the other OS versions of that browser. I don’t think it so much that Windows is more resistant. I think it is more like they left holes in the browser for the others that they happened to not leave open for windows.
And that would stand to reason considering history. They have always been late to the party or reluctant to accommodate alternative operating systems. Everything other than windows is a red headed step child. lol
I just got an updated download from Apple for my MacBook Air last night so I guess the problem has been corrected.
🛌🛌🛌
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.