Apple to Address '0.0.0.0' Security Vulnerability in Safari 18

Apple plans to block websites from attempting to send malicious requests to the IP address 0.0.0.0 on macOS Sequoia, according to Forbes. The means the change will be part of Safari 18, which will also be available for macOS Sonoma and macOS Ventura.

safari icon blue banner
This decision comes after researchers from Israeli cybersecurity startup Oligo Security said they discovered a zero-day security vulnerability that allows a malicious actor to access private data on a user's internal private network. The researchers will present their findings this weekend at the DEF CON hacking conference in Las Vegas.

"Exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors," said Avi Lumelsky, a researcher at Oligo Security.

The researchers responsibly disclosed the vulnerability to Apple, Google, and Mozilla. More details are available on the AppSec Village website.

macOS Sequoia and Safari 18 are currently in beta and will be widely released later this year.

Related Roundup: macOS Sequoia
Tag: Safari
Related Forum: macOS Sequoia

Popular Stories

iOS 18

Apple Says iOS 18.4 Will Be Released in April With These New Features

Wednesday February 26, 2025 7:15 am PST by
In a recent press release, Apple confirmed that iOS 18.4 will be released in April. From the Apple News+ Food announcement:Coming with iOS 18.4 and iPadOS 18.4 in April, Apple News+ subscribers will have access to Apple News+ Food, a new section that will feature tens of thousands of recipes — as well as stories about restaurants, healthy eating, kitchen essentials, and more — from the...
Generic iPhone 17 Feature With Full Width Dynamic Island

Latest iPhone 17 Series CAD Images in Line With Redesign Rumors

Friday February 28, 2025 2:51 am PST by
Apple is expected to embrace a new camera system design for some models in its upcoming iPhone 17 series, and the latest purported CAD images don't deviate from what we have been hearing lately about Apple's new lineup. If you do not like the sound of an iPhone with a Google Pixel-style camera bar, look away now. Seasoned leaker Sonny Dickson shared the following images in a post on X...
iphone 16e usb c feature

Apple Provides Reason for iPhone 16e's Lack of MagSafe

Friday February 28, 2025 4:39 am PST by
Apple has offered a reason why the iPhone 16e doesn't include MagSafe, one of the more notable omissions from its latest entry-level smartphone. According to Apple representatives who spoke to Daring Fireball's John Gruber, MagSafe is not included in the iPhone 16e because "most people in the iPhone 16e's target audience exclusively charge their phones by plugging them into a charging...
apple intelligence black

These New Apple Intelligence Features Are Coming in iOS 18.4

Friday February 28, 2025 3:17 pm PST by
iOS 18.4 was supposed to bring new Apple Intelligence Siri features, but Apple ended up needing to pull those capabilities from the update to continue testing. There are fewer new Apple Intelligence additions now, but there are still some new features that will make the update worth installing when it comes out in April. Priority Notifications Apple introduced Priority Notifications back at ...
Generic iOS 19 Feature Mock Light

iOS 19 Rumored to Include These New Features for Your iPhone

Saturday March 1, 2025 11:00 am PST by
iOS 19 is still around three months away from being unveiled, but there are plenty of rumors about the upcoming update. Below, we recap iOS 19 rumors so far. Redesigned Camera App A leak earlier this year allegedly revealed a redesigned Camera app coming with iOS 19. On his YouTube channel Front Page Tech in January, Jon Prosser shared a video showing what the new Camera app will...
cook trump

Trump Responds to Apple Keeping Diversity Policies

Wednesday February 26, 2025 6:32 am PST by
In an all-caps post on Truth Social today, U.S. President Donald Trump said Apple should fully end its diversity, equity, and inclusion (DEI) policies. Tim Cook meeting with President Trump in 2017 "APPLE SHOULD GET RID OF DEI RULES, NOT JUST MAKE ADJUSTMENTS TO THEM," he wrote. Trump's post comes one day after Apple held its annual shareholders meeting, during which a majority of...
apple watch ultra snow

6 Features Coming to the Apple Watch Ultra 3

Tuesday February 25, 2025 9:00 am PST by
The Apple Watch Ultra 3 is expected to launch later this year, arriving two years after the previous model with a series of improvements. While no noticeable design changes are expected for the third generation since the company tends to stick with the same Apple Watch design through three generations before changing it, there are a series of internal upgrades on the way. By the time the ...
airpods pro purple

Here's When AirPods Pro 3 Are Rumored to Launch

Monday February 24, 2025 9:14 am PST by
According to a post on X today from a leaker known as Kosutami, Apple plans to launch AirPods Pro 3 in May or June this year. The leaker also claimed that an AirTag 2 will launch around the same time. Kosutami is best known as a collector of prototype Apple hardware, but they have occasionally shared accurate information about Apple's future product plans. For example, they accurately...
apple c1

How Fast is Apple's First-Ever 5G Modem? The Results Are Surprising

Friday February 28, 2025 10:08 am PST by
iPhone 16e reviews are now out, and Apple's custom-designed C1 modem has been put to the test. The results so far are quite surprising, as the C1's speeds are not as slow compared to Qualcomm modems as originally expected. While the C1 does not support ultra-fast mmWave 5G in the U.S., it appears to offer comparable 5G performance to Qualcomm's Snapdragon X71 modem found in the iPhone 16,...

Top Rated Comments

goonie4life9 Avatar
8 months ago
Not to worry, everyone, because Apple Support has the fix at the ready for this issue that they have never heard about, so it can’t be affecting customers:

1. Restart your device
2. Force restart your device
3. Reset network settings
4. Erase and reinstall, setting-up as new
5. RTA to Engineering
6. Engineering will request logs, with Mail logging enabled just to be safe
7. Within 48 hr, Engineering will let you know that this is a known issue, to keep your device up to date, and no further troubleshooting will be provided
Score: 20 Votes (Like | Disagree)
shamino Avatar
8 months ago
I wonder what the deal really is. The 0.0.0.0 address should be rejected by the OS's network stack. According to RF 1122 (from 1989), section 3213, the all-zeros address (that is, network zero, host zero) means "this host on this network" and goes on to say that it should not be used, except for specific circumstances:


(a) { 0, 0 }
This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 ('https://datatracker.ietf.org/doc/html/rfc1122#section-3.3.6') for a non-standard use of {0,0}.
Section 3.3.6 discusses broadcast addresses and states that a non-standard implementation (specifically citing BSD 4.2, but not 4.3) might use zero instead of -1 for the network/subnet/host fields of a broadcast packet and that hosts should accept incoming packets as such, making 0.0.0.0 equivalent to 255.255.255.255.

So the question remains: what does Apple need to fix? Any code trying to send a packet to/from address 0.0.0.0 should just get an error back from the network stack. And given the extreme age of systems that might use it as a broadcast address, the stack should probably reject packets from the network that use it as a destination unless the system is explicitly configured to allow them.

And if macOS's stack is not not discarding packets addressed to 0.0.0.0 and is not treating them identically to 255.255.255.255, well, then they've got a bug that should be fixed whether or not there's an exploit.
Score: 16 Votes (Like | Disagree)
Populus Avatar
8 months ago
If this vulnerability is as serious as it seems, in my humble opinion it should be adressed or, at least, mitigated, in the next security updates of Safari 17, and even on the upcoming security patch of iOS 16 and Monterey.
Score: 10 Votes (Like | Disagree)
Nugget Avatar
8 months ago
I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
Score: 5 Votes (Like | Disagree)
foobarbaz Avatar
8 months ago
The description is vague, but I figure the following is going on:

Some app on the local machine is running a web server. This is either a developer running a dev build of a website locally or another software that uses HTTP internally (more than you think).

Normally such a server is never reachable from the outside. But Javascript on a website is not outside, it's running locally, so it can access these local web servers. And if they don't require authentication (e.g. maybe because the dev hasn't implemented it yet, or because security relies on it not being reachable from the outside), the Javascript can use the local web server to do nasty things, including accessing the users data.

But it's somewhat of an old hat. Some people claim it's "working as designed". Safari normally blocks such local requests, but Chrome didn't last time I checked. (It's a major reason I'm not using Chrome.) But I guess they figured out a way around Safari's block, which is what they probably reported to Apple.
Score: 4 Votes (Like | Disagree)
richie510 Avatar
8 months ago

I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
I do not think this should affect pi-hole. pi-hole uses 0.0.0.0 as a null address that should be rejected by the OS. https://docs.pi-hole.net/ftldns/blockingmode/
Score: 4 Votes (Like | Disagree)