Apple Closes Ancient Security Gaps In MacOS Safari

Apple recently fixed an old security gap in Safari for macOS (photo: x @it__security ·)

JAKARTA - Apple recently fixed an old security gap in Safari for macOS which appears to have existed since the early days of Intel Mac. According to a report from Defcon, a hacking conference that runs from August 8 to 11 in Las Vegas, this gap was discovered by Oligo Security.

This bug, known as "0.0.0.0 Day" is a zero-day vulnerability involving an IP address of 0.0.0.0, and affects how the browser handles network demand. This gap allows access to sensitive local services via code executed on visitor devices by targeting 0.0.0 instead of localhosts/127.0.0.1.

Researcher Oligo Security found that this gap had existed since 2006 and affected all major browsers. All related companies have been notified as part of the disclosure in charge.

For Safari, Apple has made changes to WebKit to block access to 0.0.0.0. Apple also added checks on the destination host's IP address, blocking requests if the address is all zero.

This change is applied in Safari 18, which is included in the beta version macOS Sequoia.

The same problem was found in Mozilla Firefox and Google Chrome. Firefox is in the repair process and has changed Match specifications to block 0.0.0.0. Google is also rolling out an update to block access to 0.0.0, affecting Chrome users and Chromium-based browsers.