Security News > 2024 > August > “0.0.0.0-Day” vulnerability affects Chrome, Safari and Firefox
A "0.0.0.0-Day" vulnerability affecting Chrome, Safari and Firefox can be - and has been - exploited by attackers to gain access to services on internal networks, Oligo Security researchers have revealed.
The vulnerability stems from how those popular browsers handle network requests from external, public websites, and may allow attackers to change settings, gain access to protected information, uploading malicious models, or even achieve remote code execution.
0.0.0.0-Day allows a malicious website to send off a request to the 0.0.0.0 IPv4 address and a specific port, and a vulnerable browser will forward that request to a service running on that port on the host.
The Private Network Access specification makes a distinction between public, private, and local networks, and prevents pages loaded under a less-secure context from communicating with more-secure contexts, but it does not work when the request is sent to the 0.0.0.0 address.
Google will start blocking access to 0.0.0.0 starting with Chromium 128 and will complete the process by Chrome 133.
Apple has changed its WebKit browser engine to block access to 0.0.0.0 and will introduce the change in the new macOS version Mozilla has changed the Fetch specification to block 0.0.0.0 and, according to the researchers, "At an undetermined point in the future, 0.0.0.0 will be blocked by Firefox and will not depend on PNA implementation."