Apple to Address '0.0.0.0' Security Vulnerability in Safari 18
Apple will address a security vulnerability in Safari 18 affecting macOS Sequoia, Sonoma, and Ventura, blocking malicious requests to the IP address 0.0.0.0, with an update expected later this year.
Read original article
Apple is set to address a significant security vulnerability in Safari 18, which affects macOS Sequoia, Sonoma, and Ventura. The vulnerability, identified by researchers from Oligo Security, involves the IP address 0.0.0.0, which can be exploited by malicious actors to access private data on a user's internal network. This zero-day vulnerability allows attackers to open various attack vectors against victims. The researchers will present their findings at the DEF CON hacking conference in Las Vegas. Apple, along with Google and Mozilla, has been informed of the issue through responsible disclosure. The upcoming Safari 18 update, currently in beta, aims to block websites from sending harmful requests to the 0.0.0.0 address. The official release of macOS Sequoia and Safari 18 is expected later this year.
- Apple will block malicious requests to the IP address 0.0.0.0 in Safari 18.
- The vulnerability allows attackers to access private data on internal networks.
- Researchers from Oligo Security discovered the issue and will present findings at DEF CON.
- The update will be included in macOS Sequoia, Sonoma, and Ventura.
- Safari 18 is currently in beta and will be released later this year.
Related
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
CVE-2024-40798 – an app may be able to read Safari's browsing history
CVE-2024-40798 is a newly identified vulnerability in Safari that may expose browsing history. It has been fixed in several Apple software updates and awaits analysis without a CVSS severity score.
Apple memory holed its broken promise for an OCSP opt-out
Apple has not fulfilled its promise to provide an opt-out for OCSP checks in macOS, raising privacy concerns. Following macOS 14 Sonoma, it removed related documentation, prompting user skepticism.
3 commentsRelated
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
CVE-2024-40798 – an app may be able to read Safari's browsing history
CVE-2024-40798 is a newly identified vulnerability in Safari that may expose browsing history. It has been fixed in several Apple software updates and awaits analysis without a CVSS severity score.
Apple memory holed its broken promise for an OCSP opt-out
Apple has not fulfilled its promise to provide an opt-out for OCSP checks in macOS, raising privacy concerns. Following macOS 14 Sonoma, it removed related documentation, prompting user skepticism.