It’s not every day that we come across a vulnerability that’s almost two decades old but cybersecurity researchers have discovered a new zero-day flaw that impacts all major browsers.
As reported by The Hacker News, the Israeli app security firm Oligo found what it’s calling a “0.0.0.0 Day” that can be exploited by hackers to access sensitive services running on local devices. The most surprising thing about this critical vulnerability though is that it has laid dormant in popular browsers for 18 years.
The 0.0.0.0 Day impacts all of the top browsers including Google Chrome and other Chromium-based browsers like Edge, Safari and Firefox. However, it’s worth noting that it only affects devices running macOS and Linux. The reason why the best Windows laptops aren’t affected is due to the fact that Microsoft blocks this IP address at the operating system level.
This critical vulnerability can be used to weaponize harmless IP addresses like 0.0.0.0 to exploit local services to allow for unauthorized access and remote code execution by hackers that are not on the same local network.
In a report on the matter, Oligo’s security researchers explain that public websites which have domains that end in “.com” are able to communicate with services running on a local network and execute arbitrary code by using the address 0.0.0.0. The vulnerability also makes bypassing Private Network Access (PNA), which prevents public websites from directly accessing endpoints on a private network, possible.
How to stay safe from browser-based attacks
After discovering this vulnerability back in April, Oligo quickly reached out to the companies behind all of the major browsers so that they could implement a fix.
Instead of releasing a security update, Google, Apple, Mozilla and others plan to block the IP address 0.0.0.0 going forward. With the release of Chromium 128 last month, Chrome is already blocking access to 0.0.0.0 but Google’s full fix for this issue won’t be completed for all users until Chrome 133 is released. Meanwhile, Apple has already made changes to the browser engine WebKit which is used by Safari to block access to 0.0.0.0 and Mozilla has also blocked the IP address in Firefox.
When it comes to protecting yourself from other browser-based attacks, the first and most important thing you can do is to keep your browser up to date. I know this may get annoying given how frequently Google releases new updates for Chrome but they only take a minute or so to install and all of your current tabs will be reopened once an update is complete.
Since your browser can be attacked by hackers to infect your computer with malware, you should also consider using the best antivirus software on your Windows PC and the best Mac antivirus software on your Apple computer. Both Windows and macOS ship with built-in antivirus software but paid options provide you with even greater protection along with some useful extras like a VPN or a password manager.
New vulnerabilities like the one described above are discovered and subsequently patched every day which is why you want to stay on top of updates and not let them pile up if you want to stay safe from hackers.