Apple to Address '0.0.0.0' Security Vulnerability in Safari 18

Apple plans to block websites from attempting to send malicious requests to the IP address 0.0.0.0 on macOS Sequoia, according to Forbes. The means the change will be part of Safari 18, which will also be available for macOS Sonoma and macOS Ventura.

safari icon blue banner
This decision comes after researchers from Israeli cybersecurity startup Oligo Security said they discovered a zero-day security vulnerability that allows a malicious actor to access private data on a user's internal private network. The researchers will present their findings this weekend at the DEF CON hacking conference in Las Vegas.

"Exploiting 0.0.0.0-day can let the attacker access the internal private network of the victim, opening a wide range of attack vectors," said Avi Lumelsky, a researcher at Oligo Security.

The researchers responsibly disclosed the vulnerability to Apple, Google, and Mozilla. More details are available on the AppSec Village website.

macOS Sequoia and Safari 18 are currently in beta and will be widely released later this year.

Related Roundup: macOS Sequoia
Tag: Safari
Related Forum: macOS Sequoia

Popular Stories

2007 iPhone

Apple Discontinuing This 18-Year-Old iPhone Feature

Saturday February 8, 2025 3:51 pm PST by
The end of an 18-year era is on the horizon for the iPhone. Apple reportedly plans to announce a new iPhone SE as soon as next week, and the device is expected to feature a full-screen design with Face ID, instead of a Touch ID home button. That means Apple will no longer sell any new iPhone models with a home button, for the first time since the original iPhone launched. The home button...
oppo find n5 fingers

World's Thinnest Foldable Phone Launches Next Week

Monday February 10, 2025 3:05 am PST by
Oppo has confirmed a February 20 global launch for its Find N5, which the company claims is the world's thinnest device in the foldable phone category. The phone is expected to be re-branded as the OnePlus Open 2 in the US. The Chinese vendor has been teasing the device in the last few weeks, touting its waterproofing and nearly invisible display crease, and highlighting its thinness by compa...
iPhone SE 4 Thumb 1

'New' iPhone SE Product Listing Appears on French Website

Wednesday February 12, 2025 6:49 am PST by
As the wait continues for Apple's long-rumored, fourth-generation iPhone SE, French electronics retailer Boulanger has prematurely published a product listing for a "new" model of the iPhone SE. The placeholder page says the device is "coming soon," but it offers no further information, and the price shown is obviously not real. The listing was spotted by a reader of the French technology...
m2 macbook air blue

M4 MacBook Air Release Continues to Appear Imminent

Monday February 10, 2025 10:56 am PST by
There continue to be signs of a new MacBook Air with an M4 chip, indicating that we could see the machine launch in the not too distant future. A private account on X today shared the identifiers that the MacBook Air will use, and those identifiers correspond to the M4 chip. According to the source, both the 13-inch MacBook Air and the 15-inch MacBook Air will be equipped with Apple's...
watchOS 11 Thumb 2 1

Apple Releases watchOS 11.3.1

Monday February 10, 2025 10:04 am PST by
Apple today released watchOS 11.3.1, a minor update to the operating system that runs on the Apple Watch. watchOS 11.3.1 is compatible with the Apple Watch Series 6 and later, all Apple Watch Ultra models, and the Apple Watch SE 2. watchOS 11.3.1 can be downloaded by opening up the Apple Watch app and going to General > Software Update. To install the new software, the Apple Watch needs to...
sequoia

Apple Releases macOS Sequoia 15.3.1

Monday February 10, 2025 10:11 am PST by
Apple today released macOS Sequoia 15.3.1, a minor update to the macOS Sequoia operating system that came out last September. macOS 15.3.1 comes a few weeks after the launch of macOS Sequoia 15.3. Mac users can download the ‌‌‌macOS Sequoia‌‌‌ update through the Software Update section of System Settings. Apple has also released macOS 13.7.4 and macOS 14.7.4 for those who are...
Powerbeats Pro 2 Orange

Powerbeats Pro 2 Given to Customer Early, Expected to Debut Tomorrow

Monday February 10, 2025 7:42 am PST by
Apple's long-awaited Powerbeats Pro 2 are finally expected to be announced this Tuesday. Ahead of time, one lucky Walmart customer was able to get their hands on the earbuds early, according to a since-deleted Reddit post over the weekend. A leaked image of the Powerbeats Pro 2 in Electric Orange "My local Walmart had them in the cage," the Reddit user explained. "I asked if I can buy them...
iOS 18

Apple Releases iOS 18.3.1 With Bug Fixes

Monday February 10, 2025 10:09 am PST by
Apple today released iOS 18.3.1 and iPadOS 18.3.1, minor updates for the iOS 18 and iPadOS 18 operating systems that came out last September. iOS 18.3.1 comes two weeks after Apple released iOS 18.3. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. Apple has also released iPadOS 17.7.5 for those still running...
apple silicon mac lineup 2024 feature purple

Apple Increases Mac Trade-In Values for a Limited Time

Sunday February 9, 2025 3:53 pm PST by
Apple today increased its estimated trade-in values for select Mac models in the United States, with the full changes outlined below. Apple says the extra trade-in credit for select Macs is available with the purchase of an eligible new Apple device through April 2. The trade-in values increased by between $10 and $50. Model New Value Old Value MacBook Pro Up to $925 ...

Top Rated Comments

goonie4life9 Avatar
27 weeks ago
Not to worry, everyone, because Apple Support has the fix at the ready for this issue that they have never heard about, so it can’t be affecting customers:

1. Restart your device
2. Force restart your device
3. Reset network settings
4. Erase and reinstall, setting-up as new
5. RTA to Engineering
6. Engineering will request logs, with Mail logging enabled just to be safe
7. Within 48 hr, Engineering will let you know that this is a known issue, to keep your device up to date, and no further troubleshooting will be provided
Score: 20 Votes (Like | Disagree)
shamino Avatar
27 weeks ago
I wonder what the deal really is. The 0.0.0.0 address should be rejected by the OS's network stack. According to RF 1122 (from 1989), section 3213, the all-zeros address (that is, network zero, host zero) means "this host on this network" and goes on to say that it should not be used, except for specific circumstances:


(a) { 0, 0 }
This host on this network. MUST NOT be sent, except as
a source address as part of an initialization procedure
by which the host learns its own IP address.

See also Section 3.3.6 ('https://datatracker.ietf.org/doc/html/rfc1122#section-3.3.6') for a non-standard use of {0,0}.
Section 3.3.6 discusses broadcast addresses and states that a non-standard implementation (specifically citing BSD 4.2, but not 4.3) might use zero instead of -1 for the network/subnet/host fields of a broadcast packet and that hosts should accept incoming packets as such, making 0.0.0.0 equivalent to 255.255.255.255.

So the question remains: what does Apple need to fix? Any code trying to send a packet to/from address 0.0.0.0 should just get an error back from the network stack. And given the extreme age of systems that might use it as a broadcast address, the stack should probably reject packets from the network that use it as a destination unless the system is explicitly configured to allow them.

And if macOS's stack is not not discarding packets addressed to 0.0.0.0 and is not treating them identically to 255.255.255.255, well, then they've got a bug that should be fixed whether or not there's an exploit.
Score: 16 Votes (Like | Disagree)
Populus Avatar
27 weeks ago
If this vulnerability is as serious as it seems, in my humble opinion it should be adressed or, at least, mitigated, in the next security updates of Safari 17, and even on the upcoming security patch of iOS 16 and Monterey.
Score: 10 Votes (Like | Disagree)
Nugget Avatar
27 weeks ago
I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
Score: 5 Votes (Like | Disagree)
foobarbaz Avatar
27 weeks ago
The description is vague, but I figure the following is going on:

Some app on the local machine is running a web server. This is either a developer running a dev build of a website locally or another software that uses HTTP internally (more than you think).

Normally such a server is never reachable from the outside. But Javascript on a website is not outside, it's running locally, so it can access these local web servers. And if they don't require authentication (e.g. maybe because the dev hasn't implemented it yet, or because security relies on it not being reachable from the outside), the Javascript can use the local web server to do nasty things, including accessing the users data.

But it's somewhat of an old hat. Some people claim it's "working as designed". Safari normally blocks such local requests, but Chrome didn't last time I checked. (It's a major reason I'm not using Chrome.) But I guess they figured out a way around Safari's block, which is what they probably reported to Apple.
Score: 4 Votes (Like | Disagree)
richie510 Avatar
27 weeks ago

I hope the remediation for this exploit doesn't impact DNS-based ad blockers like Pi-hole which currently use the 0.0.0.0 address as the mechanism for blocking traffic to blacklisted hostnames.

Also, "Reader mode" in Safari bypasses the subscription nag on the linked article.
I do not think this should affect pi-hole. pi-hole uses 0.0.0.0 as a null address that should be rejected by the OS. https://docs.pi-hole.net/ftldns/blockingmode/
Score: 4 Votes (Like | Disagree)