Apple has closed an ancient macOS Safari security hole

AppleInsiderAppleInsider
Posted:
in macOS

Apple is fixing a vulnerability in Safari for macOS, that seems to date back to the dawn of Intel Macs.

Safari icon with blue background and white compass needle, overlaid on blurred code.
Icon for Safari in macOS



The Defcon hacking conference is taking place from August 8 to August 11 in Las Vegas, which hosts talks about newly discovered security issues. One talk set to occur over the long weekend will discuss an issue with Safari that Apple has worked to fix.

The exploit, discovered by Oligo Security, is a zero-day vulnerability involving the IP address 0.0.0.0. Dubbed "0.0.0.0 Day" by the researchers, it exposes a flaw in how browsers handle network requests, which can be abused to access sensitive local services.

The researchers found public websites can communicate with services running on a local network. It's possible for the websites to execute code on a visitor's hardware, simply by targetting 0.0.0.0 instead of localhost/127.0.0.1.

This is a bug that has been around for many years. The researchers found a report of a security issue involving the IP address dating back to 2006.

The issue affects all major browsers, the researchers found, and all related companies have been informed as part of a responsible disclosure.

For Safari, Apple has made changes to WebKit to block access to 0.0.0.0. It also added a check to the destination host IP address, blocking the request if it's all zeroes.

This change is being implemented as part of Safari 18, which is included in the betas of macOS Sequoia.

The same issue has been found in Mozilla Firefox and Google Chrome. In the case of Firefox, there's a fix in progress and Mozilla has changed the Fetch specification to block 0.0.0.0.

Google is similarly rolling out updates to block access to 0.0.0.0, affecting both Chrome and Chromium-based browser users.

A talk by Oligo Security will be held as part of the AppSec Village of Defcon on Saturday.



Read on AppleInsider

Comments

  • Reply 1 of 3
    CaptainQCaptainQ Posts: 5member
    isn't it strange that every companies finally decide to fix this bug at the same time while it's been known for more than 10 years? 
    What explains that? 
    jas99watto_cobra
  • Reply 2 of 3
    coolfactorcoolfactor Posts: 2,314member
    I'm a bit confused why this is a browser fix and not a lower system-level fix?

    I've installed the update on macOS and can still access 0.0.0.0 since I have nginx running locally. It just loads the default nginx splash page. The article says that Safari would block access to any 0.0.0.0 requests, but that's apparently not the case.

    Any experts out there?
    edited August 7 watto_cobra
  • Reply 3 of 3
    777pirat777pirat Posts: 1member
    coolfactor said:
    I'm a bit confused why this is a browser fix and not a lower system-level fix?

    I've installed the update on macOS and can still access 0.0.0.0 since I have nginx running locally. It just loads the default nginx splash page. The article says that Safari would block access to any 0.0.0.0 requests, but that's apparently not the case.

    Any experts out there?


    It's because it's not fixed yet. Seems to be fixed in iOS 18.x releases. (Which beats me - why they don't roll-out a sec.fix asap to this)
    bonobobwatto_cobra
Sign In or Register to comment.