iTnews
  • Home
  • News
  • Technology
  • Security

Browser vulnerability can be used to breach local networks

By Staff Writer
Aug 9 2024 6:41AM

Google and Apple make progress with fixes.

Security researchers have uncovered a browser vulnerability impacting MacOS and Linux users that can be used to breach local networks.

Browser vulnerability can be used to breach local networks

The vulnerability, reported to browser makers by Oligo Security, has been dubbed “0.0.0.0 Day” and “exposes a fundamental flaw in how browsers handle network requests”, the researchers said in a blog post.

“Oligo researchers have found that public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1.”

Oligo said that the issue “stems from the inconsistent implementation of security mechanisms across different browsers, along with a lack of standardisation in the browser industry.”

It disclosed the vulnerability to Chromium, Firefox, Safari browser makers in April. 

“The browser teams at each company have acknowledged the security flaw and will work on changing the related standard, and will also implement browser-level mitigations,” the researchers wrote.

“Eventually, all browsers will block 0.0.0.0, but at the same time, the market demands a common standard to follow as well. 

“Due to the nature of the vulnerability and the complexity of the patch across browsers, it remains exploitable, allowing external websites to communicate with services on localhost.”

Oligo said that both Google and Apple have made changes.

“Chrome is blocking access to 0.0.0.0 (Finch Rollout) starting with Chromium 128. Google will gradually roll out this change over the next few releases, completing it by Chrome 133, at which point the IP address will be blocked completely to all Chrome and Chromium users,” Oligo noted.

“Apple [also] made breaking changes to WebKit that block access to 0.0.0.0.”

The researchers said there is “no immediate fix in Firefox” but that one “is in progress”. They added that 0.0.0.0 “will be blocked by Firefox… at an undetermined point in the future.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
0000oligo securitysecurity

Related Articles

  • GPS spoofers 'hack time' on commercial airlines, researchers say GPS spoofers 'hack time' on commercial airlines, researchers say
  • In Pictures: Skybox and BT security roundtable In Pictures: Skybox and BT security roundtable
  • Services Australia's sweeping security uplift plans for myGov Services Australia's sweeping security uplift plans for myGov
  • Trend Micro explores sale Trend Micro explores sale

Partner Content

SOCO Reveals Microsoft AI with Power Platform Use Cases at Upcoming Government Event
Partner Content SOCO Reveals Microsoft AI with Power Platform Use Cases at Upcoming Government Event
Non-technical job seekers are missing out on this in-demand cybersecurity career
Partner Content Non-technical job seekers are missing out on this in-demand cybersecurity career
Unlocking Cloud Potential: The Fusion5 Approach to Seamless Migration
Partner Content Unlocking Cloud Potential: The Fusion5 Approach to Seamless Migration
AFL and Okta Team Up for a Game-Changing Play in Digital Security and Identity Management
Partner Content AFL and Okta Team Up for a Game-Changing Play in Digital Security and Identity Management

Sponsored Whitepapers

Nine Ways To Prepare Your Database for a High-Traffic Event
Nine Ways To Prepare Your Database for a High-Traffic Event
How to Put AI at the Heart of Business Growth
How to Put AI at the Heart of Business Growth
Streamline Your Processes and Reduce Managed File Transfer Expenses
Streamline Your Processes and Reduce Managed File Transfer Expenses
Maximise Your Azure Investment with Fusion5
Maximise Your Azure Investment with Fusion5
CyberArk's 2024 Playbook: Identity Security and Cloud Compliance
CyberArk's 2024 Playbook: Identity Security and Cloud Compliance

Events

  • Integrate Integrate
Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov
Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach
Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter
CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Digital Nation

More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
State of Security 2023
State of Security 2023
COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.