Windows users are often the punchline of jokes when it comes to cybersecurity. Or, at least, that's how we used to be. If I ever hear another lecture about why Mac or Linux systems are more secure than Windows, I will at least be able to point this article out. I will say that not always. Not Always.
The Hacker News reports that Oligo Security’s research team discovered a vulnerability called "0.0.0.0 day" that affects Google Chrome/Chromium and Mozilla Firefox browsers. This vulnerability allows websites to communicate with MacOS and Linux software.
The vulnerability allows public websites with.com domains to communicate with services on the local network using the IP address of 0.0.0.0 rather than localhost/127.0.0.1.
Microsoft's Windows OS blocks 0.0.0.0 on a system-wide level. Hooray for the sometimes-rarer-than-we'd-like Microsoft security win. This loophole has been exploitable since 2006. That means that it's been a cybersecurity vulnerability for 18 years.
According to reports, the percentage of websites using 0.0.0.0 as a communication protocol is increasing. Oligo, by looking at Chromium counters on websites, has identified 0.015% as potentially malicious. It may not seem like much, but the team estimates that there will be 200 million websites active by August 2024.
It's possible that 100,000 websites communicate over that IP address. However, it is not known how many of those sites are using this capability for malicious purposes.
Oligo says it has informed the security teams of each of the major browsers that are affected about its findings in April 2024. The company claims they have all acknowledged the problem and are working to fix it.
The browser developers are responsible for implementing their fixes. Different browsers have received these fixes at different times. Chrome has already blocked access to 0.0.0.0, starting with Chromium 128. Google plans to roll out the change gradually with completion set for Chrome 133.
Apple's Safari browser, which uses Webkit, has already blocked 0.0.0.0 since the report. Mozilla Firefox is not affected by the current fix. However, Mozilla has changed its Fetch specification in order to block 0.0.0.0 attempts. Oligi says that "at some undetermined future point, Firefox will block 0.0.0.0."
Call me slightly smug, but given some high-profile Windows cybersecurity-related failures of late I'll take any win I can get. It's time for a victory dance if you're a Windows PC owner. We're not responsible for this, so we can sleep easy tonight.
Comments