Apple to Address '0.0.0.0' Security Vulnerability in Safari 18

Apple plans to block websites from attempting to send malicious requests to the IP address 0.0.0.0 on macOS Sequoia, according to Forbes. The means the change will be part of Safari 18, which will also be available for macOS Sonoma and macOS Ventura.

safari icon blue banner
This decision comes after researchers from Israeli cybersecurity startup Oligo Security said they discovered a zero-day security vulnerability that allows a malicious actor to access private data on a user's internal private network. The researchers will present their findings this weekend at the DEF CON hacking conference in Las Vegas.

"Exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors," said Avi Lumelsky, a researcher at Oligo Security.

The researchers responsibly disclosed the vulnerability to Apple, Google, and Mozilla. More details are available on the AppSec Village website.

macOS Sequoia and Safari 18 are currently in beta and will be widely released later this year.

Related Roundup: macOS Sequoia
Tag: Safari
Related Forum: macOS Sequoia

Popular Stories

maxresdefault

Apple Releases iOS 18.4 With Priority Notifications, Ambient Music, New Emoji and More

Monday March 31, 2025 10:03 am PDT by
Apple today released iOS 18.4 and iPadOS 18.4, the fourth major updates to the iOS 18 and iPadOS 18 operating system updates that came out last year. iOS 18.4 and iPadOS 18.4 come two months after Apple released iOS 18.3 and iPadOS 18.3. Subscribe to the MacRumors YouTube channel for more videos. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to...
iPhone 17 Pro 34ths Perspective

iPhone 17 Pro Launching Later This Year With These 10 New Features

Sunday March 23, 2025 10:00 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone ...
iOS 19 Mock WWDC25 Feature

iOS 19 Expected to Run on These iPhones

Monday March 31, 2025 5:28 pm PDT by
iOS 19 will not be available on the iPhone XR, iPhone XS, or the iPhone XS Max, according a private account on social media site X that has accurately provided information on device compatibility in the past. The iPhone XR, iPhone XS, and iPhone XS Max all have an A12 Bionic chip, so it looks like iOS 19 will discontinue support for that chip. All other iPhones that run iOS 18 are expected...
top stories 2025 03 29

Top Stories: WWDC 2025 Announced, iPhone 17 Pro and iOS 19 Rumors, and More

Saturday March 29, 2025 6:00 am PDT by
Apple's big developer event is a little over two months away, and rumors about what we can expect to see in Apple's next major operating system updates are becoming increasingly frequent. A public release of iOS 18.4 is also imminent with a number of updates and improvements, although we won't be getting the major Apple Intelligence Siri upgrades that had reportedly been planned for this...
Magic Mouse Green

What to Expect From the Magic Mouse 3

Saturday March 29, 2025 10:15 am PDT by
Apple is reportedly working on a new Magic Mouse. Below, we recap what to expect. The two key rumors for the Magic Mouse 3 so far include a relocated charging port, along with a more ergonomic design. It was briefly rumored that the Magic Mouse 3 would also feature voice control, but that was misinterpreted information. Relocated Charging Port While the Magic Mouse switched from...
iOS 18

iOS 18.4 Expected Next Week - Here Are the Release Notes

Friday March 28, 2025 2:01 pm PDT by
With the second release candidate of iOS 18.4 that Apple seeded out today, the company finally provided us with release notes that give a full rundown on what to expect. There's an Apple Vision Pro app, new Apple Intelligence features for notifications and additional language support, plus an Apple News Food feature for Apple News+ subscribers, and several updates that should improve the...
Foldable iPhone 2023 Feature Homescreen

Six Things to Know About Apple's Upcoming Foldable iPhone

Friday March 28, 2025 3:54 pm PDT by
We've been hearing rumors about a foldable iPhone for almost a decade now, but it looks like we might finally see the device come to fruition in 2026. We're going to be waiting many more months for the foldable iPhone, but so far we're hearing good things. Apple wants to make it creaseless. It's taken Apple multiple years to design a foldable iPhone that it's satisfied with because Apple ...
iOS 19 visionOS UI Elements

Apple Codename Provides Clue About iOS 19's Rumored New Design

Sunday March 30, 2025 6:40 am PDT by
Multiple sources have claimed that iOS 19 will introduce a new design with more translucent buttons, menus, notification banners, and more, and there is now another clue that points towards this glass-like appearance. Bloomberg's Mark Gurman today said the new design project is codenamed "Solarium" internally. A solarium is a room with glass walls that allow in plenty of sunlight, so this...

Top Rated Comments

goonie4life9 Avatar
9 months ago
Not to worry, everyone, because Apple Support has the fix at the ready for this issue that they have never heard about, so it can’t be affecting customers:

1. Restart your device
2. Force restart your device
3. Reset network settings
4. Erase and reinstall, setting-up as new
5. RTA to Engineering
6. Engineering will request logs, with Mail logging enabled just to be safe
7. Within 48 hr, Engineering will let you know that this is a known issue, to keep your device up to date, and no further troubleshooting will be provided
Score: 20 Votes (Like | Disagree)
shamino Avatar
9 months ago
I wonder what the deal really is. The 0.0.0.0 address should be rejected by the OS's network stack. According to RF 1122 (from 1989), section 3213, the all-zeros address (that is, network zero, host zero) means "this host on this network" and goes on to say that it should not be used, except for specific circumstances:


(a) { 0, 0 }
This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 ('https://datatracker.ietf.org/doc/html/rfc1122#section-3.3.6') for a non-standard use of {0,0}.
Section 3.3.6 discusses broadcast addresses and states that a non-standard implementation (specifically citing BSD 4.2, but not 4.3) might use zero instead of -1 for the network/subnet/host fields of a broadcast packet and that hosts should accept incoming packets as such, making 0.0.0.0 equivalent to 255.255.255.255.

So the question remains: what does Apple need to fix? Any code trying to send a packet to/from address 0.0.0.0 should just get an error back from the network stack. And given the extreme age of systems that might use it as a broadcast address, the stack should probably reject packets from the network that use it as a destination unless the system is explicitly configured to allow them.

And if macOS's stack is not not discarding packets addressed to 0.0.0.0 and is not treating them identically to 255.255.255.255, well, then they've got a bug that should be fixed whether or not there's an exploit.
Score: 16 Votes (Like | Disagree)
Populus Avatar
9 months ago
If this vulnerability is as serious as it seems, in my humble opinion it should be adressed or, at least, mitigated, in the next security updates of Safari 17, and even on the upcoming security patch of iOS 16 and Monterey.
Score: 10 Votes (Like | Disagree)
Nugget Avatar
9 months ago
I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
Score: 5 Votes (Like | Disagree)
foobarbaz Avatar
9 months ago
The description is vague, but I figure the following is going on:

Some app on the local machine is running a web server. This is either a developer running a dev build of a website locally or another software that uses HTTP internally (more than you think).

Normally such a server is never reachable from the outside. But Javascript on a website is not outside, it's running locally, so it can access these local web servers. And if they don't require authentication (e.g. maybe because the dev hasn't implemented it yet, or because security relies on it not being reachable from the outside), the Javascript can use the local web server to do nasty things, including accessing the users data.

But it's somewhat of an old hat. Some people claim it's "working as designed". Safari normally blocks such local requests, but Chrome didn't last time I checked. (It's a major reason I'm not using Chrome.) But I guess they figured out a way around Safari's block, which is what they probably reported to Apple.
Score: 4 Votes (Like | Disagree)
richie510 Avatar
9 months ago

I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
I do not think this should affect pi-hole. pi-hole uses 0.0.0.0 as a null address that should be rejected by the OS. https://docs.pi-hole.net/ftldns/blockingmode/
Score: 4 Votes (Like | Disagree)