Earlier this month, Oligo Security reported on an old but effective zero-day in the most commonly used internet browsers. By pointing to the IP address 0.0.0.0 from a public website, local webservers could be invoked. This could then be manipulated to execute remote code simply through a user clicking on the wrong link.
Although this zero day (or 0.0.0.0-day, as they called it) is fairly powerful, the impact is limited to Linux, ChromeOS and macOS systems. Windows blocks the 0.0.0.0 IP address by default. Apple is now going to do the same in the next macOS version.
It’s a remarkable leak, as it happens, because browsers by default have a security feature where it is not possible to simply link from a website to a local IP address. Users then get an error message that a site is trying to reach the internal network. This only works if users open a new tab and type in the address themselves.
However, the IP address 0.0.0.0 is never established as a local IP address. Rather, it is a temporary address used only when a PC is connecting, so 0.0.0.0 is also not actively used in any network. Because the IP address falls into a kind of no-man’s land, many browsers have at one time or another opted to just forward the address to 127.0.0.1, the localhost. That’s where things go wrong now, because where browsers apply protections to 127.0.0.1, they don’t do so to 0.0.0.0.
Apple, Google and Mozilla have all already announced that patches are being rolled out to close this 0.0.0.0 day.
Also read: Are browser extensions still safe to use?