Apple to Update macOS to Fix Long-Standing Internal Network Access Vulnerability, Blocking Hackers from Accessing 0.0.0.0
Brook.X
For a long time, macOS has harbored a vulnerability that allows hackers to exploit how browsers handle the 0.0.0.0 IP address, redirecting queries to different IP addresses. In some instances, these requests are redirected to localhost, an address commonly used by developers to set up local server testing environments.
Therefore, if a user has indeed set up a local development environment on macOS and enabled the localhost address, hackers can redirect the IP address to localhost via browsers like Safari, Chrome, or Firefox and probe the environment. In certain cases, this allows for the collection of files and other data from developers and businesses in the local environment.
Researchers have discovered that some hackers have even managed to host malicious code on servers running the Ray AI framework, a framework used by companies like Amazon and Intel for training artificial intelligence models, thereby stealing data.
This security vulnerability has persisted for about 18 years. Despite Apple's continuous efforts to enhance macOS security, this vulnerability remained unpatched until now. Apple is finally set to address it with the release of macOS Sequoia.
Apple states that in the macOS Sequoia version, it will prevent all websites from attempting to access the 0.0.0.0 IP address. However, it is currently unclear whether the security patch or fix is included in the latest macOS Sequoia beta.
Moreover, the Google security team has also stated plans to implement the same measure in future Chrome updates, where attempts by the browser to access 0.0.0.0 will be directly intercepted and not redirected to other addresses.
Firefox, on the other hand, has indicated that it has not yet addressed this vulnerability and is still researching potential solutions. Directly blocking access to 0.0.0.0 could lead to some compatibility issues.
It's noteworthy that this access vulnerability only affects macOS and Linux operating systems, as Microsoft had already recognized this issue. Setting up a development environment and using localhost is a common operation on Windows, so Microsoft has long blocked access to 0.0.0.0.
