Apple has closed an ancient macOS Safari security hole
Apple is fixing a vulnerability in Safari for macOS, that seems to date back to the dawn of Intel Macs.
Icon for Safari in macOS
The Defcon hacking conference is taking place from August 8 to August 11 in Las Vegas, which hosts talks about newly discovered security issues. One talk set to occur over the long weekend will discuss an issue with Safari that Apple has worked to fix.
The exploit, discovered by Oligo Security, is a zero-day vulnerability involving the IP address 0.0.0.0. Dubbed "0.0.0.0 Day" by the researchers, it exposes a flaw in how browsers handle network requests, which can be abused to access sensitive local services.
The researchers found public websites can communicate with services running on a local network. It's possible for the websites to execute code on a visitor's hardware, simply by targetting 0.0.0.0 instead of localhost/127.0.0.1.
This is a bug that has been around for many years. The researchers found a report of a security issue involving the IP address dating back to 2006.
The issue affects all major browsers, the researchers found, and all related companies have been informed as part of a responsible disclosure.
For Safari, Apple has made changes to WebKit to block access to 0.0.0.0. It also added a check to the destination host IP address, blocking the request if it's all zeroes.
This change is being implemented as part of Safari 18, which is included in the betas of macOS Sequoia.
The same issue has been found in Mozilla Firefox and Google Chrome. In the case of Firefox, there's a fix in progress and Mozilla has changed the Fetch specification to block 0.0.0.0.
Google is similarly rolling out updates to block access to 0.0.0.0, affecting both Chrome and Chromium-based browser users.
A talk by Oligo Security will be held as part of the AppSec Village of Defcon on Saturday.
Read on AppleInsider
Comments
I've installed the update on macOS and can still access 0.0.0.0 since I have nginx running locally. It just loads the default nginx splash page. The article says that Safari would block access to any 0.0.0.0 requests, but that's apparently not the case.
Any experts out there?
It's because it's not fixed yet. Seems to be fixed in iOS 18.x releases. (Which beats me - why they don't roll-out a sec.fix asap to this)