An old MacOS safety flaw has been fixed by Apple.

Icon for Safari in macOS
Apple has fixed a security vulnerability in Safari on macOS that dates back to the early days of Intel Macs. The Defcon hacking convention is taking place in Las Vegas from August 8 through August 11, and will feature talks on newly discovered security issues. Over the long weekend, Apple will be addressing an issue with Safari. The zero-day vulnerability, discovered by Oligo Security involves the IP address of 0.0.0.0. The researchers have dubbed it “0.0.0.0 day” and it exposes a vulnerability in the way browsers handle network requests. This flaw can be exploited to access sensitive local services. Researchers found that public websites could communicate with services running in a local network. The websites can execute code on the visitor’s hardware by targeting 0.0.0.0 rather than localhost/127.0.0.1. This bug has been around for years. Researchers found a 2006 report on a security problem involving IP addresses. Researchers found that the issue affects major browsers and that all companies involved have been informed in a responsible disclosure. Apple has changed WebKit for Safari to block access to the 0.0.0.0. Apple also added a check for the destination host’s IP address to block requests if the number is all zeros. This change will be implemented in Safari 18, which comes with macOS Sequoia betas. The same problem has been discovered in Mozilla Firefox and Google Chrome. In the case Firefox, a fix is in progress and Mozilla changed the Fetch specifications to block 0.0.0.0. Google is also rolling out updates that block access to 0.0.0.0. This affects both Chrome and Chromium users. On Saturday, Oligo Security will give a talk as part of AppSec village of Defcon.