Safari on macOS Sequoia blocks the IP address 0.0.0.0 to fix an 18-year-old security exploit
Apple has confirmed that Safari on its latest macOS Sequoia operating system stops websites from accessing the IP address 0.0.0.0.
As a non-routable IPv4 address, 0.0.0.0 has many use cases, and one of the most common uses is serving as a placeholder address. Apple’s Safari browser, as well as Google’s Chrome and Mozilla’s Firefox, resolves queries to 0.0.0.0 by redirecting requests to “localhost,” a server on a network or computer that is typically private and is often used to test in-development code.
In some cases, these requests are redirected to “localhost,” a hostname that refers to the current computer used to access it. “Localhost” is often a private network or computer used for code testing, but bad actors have been using the IP address 0.0.0.0 to gain access to private data from company servers.
Oligo researchers warn that by accepting 0.0.0.0, “you’re basically allowing everything.” Hackers have been exploiting this loophole for eighteen years, and browser vendors have finally decided to do something about it.
Safari on macOS Sequoia fixes the longstanding 0.0.0.0 “localhost” loophole
Apple has confirmed to Forbes that macOS Sequoia will block websites from accessing 0.0.0.0. Google will also close the loophole in a future version of its Chrome browser, while Mozilla has not yet developed a solution but is working on it.
A Mozilla spokesperson told the publication that the non-profit organization is concerned about potential compatibility issues, as blocking 0.0.0.0 could cause some servers to break. “Imposing tighter restrictions comes with a significant risk of introducing compatibility problems. As the standards discussion and work to understand those compatibility risks is ongoing, Firefox has not implemented any of the proposed restrictions. We plan to continue our engagement in that process.”
macOS Sequoia brings other security improvements. One of them makes it a bit more complicated to bypass Gatekeeper in order to install unsigned Mac software because Apple realized that modern malware encourages users to open the executable using the Control-click shortcut.
Source link: https://www.idownloadblog.com/2024/08/08/apple-macos-sequoia-safari-0-0-0-0-address-localhost-security-exploit/
Leave a Reply