This problem, known as the 0.0.0.0-day exploit, affects Chrome, Firefox, and Safari, but only on macOS and Linux computers. Windows computers are not at risk. The browser companies know about the issue and are working on fixing it, but macOS and Linux users are still vulnerable for now.
How the vulnerability works
The exploit uses an old method that’s been around for 18 years. Even though security has improved, this method is still a vulnerability. Oligo’s blog post explains how they found this issue, and specifically mention an old bug report for Firefox where a user said public websites attacked their router on the internal network.Since then, people have tried to stop public websites from accessing private networks. Google created the Private Network Access (PNA) specification to protect users from attacks on routers and other private network devices. PNA restricts public websites from sending requests to private local IP addresses like 127.0.0.1 or 192.168.1.1. However, Oligo found out that the IP address 0.0.0.0 is not on the list of protected private or local addresses.Oligo used 0.0.0.0 to perform the ShadowRay attack, which targets a weakness in the Ray AI framework. This proved that browsers like Safari, Firefox, Chrome, and other Chromium browsers have a serious security issue that still needs to be fixed. The good news is that Windows users are not affected by this vulnerability, as it only affects macOS and Linux software.
Efforts to mitigate the issue
Oligo notified the affected browser security teams about the 0.0.0.0-day exploit back in April. Since then, the major browser companies acknowledged the problem, and most are working on fixing it. Chrome is gradually blocking access to 0.0.0.0 for all Chrome and Chromium users, starting with Chrome 128 and finishing by Chrome 133.
Apple has changed WebKit to block access to 0.0.0.0 for Safari users. These changes will be in Safari 18, currently available in the beta version of macOS Sequoia. Older macOS versions will also get the Safari 18 update to fix the 0.0.0.0-day issue.
However, Firefox users might have to wait a bit longer for a fix. Mozilla said that blocking 0.0.0.0 could cause issues for servers using that address, so they haven’t blocked it yet but do plan to block it in the future.
What You Can Do
If you use Chrome or Safari, keep your browser updated to ensure you have the latest security patches. Firefox users may need to wait a bit longer for a fix. In the meantime, be cautious about clicking on suspicious links or downloading attachments from unknown sources. These are common ways that attackers try to exploit vulnerabilities.
