Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.os.linux > #80294 > unrolled thread

An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable

Back to article view | Back to alt.os.linux

Contents

  An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable Enrico Papaloma <enrico@papaloma.net> - 2024-08-08 17:33 -0700
    Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable Jukka Lahtinen <jtfjdehf@hotmail.com.invalid> - 2024-08-10 00:12 +0300
      Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable not@telling.you.invalid (Computer Nerd Kev) - 2024-08-12 08:41 +1000
        Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable danmin@danminart-dot-com.no-spam.invalid (Danart) - 2024-08-29 10:57 +0000
    Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable John McCue <jmccue@qball.jmcunx.com> - 2024-08-09 22:43 +0000

#80294 — An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable

An 18-year-old browser exploit leaves MacBooks and Linux laptops vulnerable
- but a fix is coming

On Wednesday, Microsoft updated the Microsoft Edge Security Updates page to
read:  "Microsoft is aware of the recent Chromium security fixes. We are
actively working on releasing a security fix."

https://www.laptopmag.com/laptops/an-18-year-old-browser-exploit-leaves-macbooks-and-linux-laptops-vulnerable-but-a-fix-is-coming

It affects Chromium, Firefox, and Safari on laptops running macOS and
Linux.

Sometimes, we've seen big companies take up to a few months to fix a
glaring bug, risk, or other issue within an OS or a browser, but usually,
issues are fixed within days or weeks. However, a vulnerability recently
brought up by Oligo Security has gone without a fix for much longer: 18
years.

It affects Chromium, Firefox, and Safari on laptops running macOS and
Linux.

This vulnerability - referred to by Oligo as the "0.0.0.0 Day"
vulnerability-allows for remote code execution via a local network through
a public website. And here's the scary part: it affects Chromium, Firefox,
and Safari on laptops running macOS and Linux.

Malicious websites can navigate through weak browser security, an issue
Oligo says "stems from the inconsistent implementation of security
mechanisms across different browsers, along with a lack of standardization
in the browser industry."

Oligo stumbled across a security issue reported to Mozilla in 2006 that's
still open today, unfixed, despite multiple major issues between then and
now. According to Oligo, "The bug report was closed, reopened, then
prioritized-and will now remain open until Firefox implements [Private
Network Access]."

[toc] | [next] | [standalone]

#80297

Enrico Papaloma <enrico@papaloma.net> writes:

> It affects Chromium, Firefox, and Safari on laptops running macOS and
> Linux.

I'm curious: why only laptops?
Does it detect some hardware difference between laptop and desktop?

-- 
Jukka Lahtinen

[toc] | [prev] | [next] | [standalone]

#80305

In alt.comp.software.firefox Jukka Lahtinen <jtfjdehf@hotmail.com.invalid> wrote:
> Enrico Papaloma <enrico@papaloma.net> writes:
> 
>> It affects Chromium, Firefox, and Safari on laptops running macOS and
>> Linux.
> 
> I'm curious: why only laptops?

Not only laptops, the article's author must have just forgotten
that desktop PCs exist.

> Does it detect some hardware difference between laptop and desktop?

No it's a standard behaviour of the OSs on whatever platform they
run. As the Wikipedia page says:
"In Linux a program may specify 0.0.0.0 as the remote address to 
 connect to the current host (AKA localhost)."
  https://en.wikipedia.org/wiki/0.0.0.0

It seems that MacOS inherited that behaviour too.

The trouble is that to prevent Javascript on websites from snooping
on services running on localhost, browsers implemented blocks for
requests to the usual localhost IP addresses that start with
"127.". They forgot, probably because they're Windows-centric, that
0.0.0.0 works the same way on Linux and similar OSs, so nasty
scripts could just use that instead of the usual 127.0.0.1.

It's not really a big security vulnerability, which is probably why
developers have been lazy about fixing it even though the fix would
be ridiculously easy. I'd argue it's a demonstration of why allowing
unknown Javascript on websites to talk to whatever IP address they
want to from your browser is a terrible idea in the first place, but
that ship has definitely sailed and by running NoScript I regularly
see how many websites rely on such behaviour now.

-- 
__          __
#_ < |\| |< _#

[toc] | [prev] | [next] | [standalone]

#80343

 > Enrico Papaloma wrote:
 > An 18-year-old browser exploit leaves MacBooks and Linux laptops
vulnerable
 > - but a fix is coming
 > 
 > On Wednesday, Microsoft updated the Microsoft Edge Security Updates
page to
 > read:  "Microsoft is aware of the recent Chromium security
fixes. We are
 > actively working on releasing a security fix."
 > 
 >
https://www.laptopmag.com/laptops/an-18-year-old-browser-exploit-leaves-macbooks-and-linux-laptops-vulnerable-but-a-fix-is-coming
 > 
 > It affects Chromium, Firefox, and Safari on laptops running macOS
and
 > Linux.
 > 
 > Sometimes, we've seen big companies take up to a few months to fix
a
 > glaring bug, risk, or other issue within an OS or a browser, but
usually,
 > issues are fixed within days or weeks. However, a vulnerability
recently
 > brought up by Oligo Security has gone without a fix for much
longer: 18
 > years.
 > 
 > It affects Chromium, Firefox, and Safari on laptops running macOS
and
 > Linux.
 > 
 > This vulnerability - referred to by Oligo as the "0.0.0.0
Day"
 > vulnerability-allows for remote code execution via a local network
through
 > a public website. And here's the scary part: it affects Chromium,
Firefox,
 > and Safari on laptops running macOS and Linux.
 > 
 > Malicious websites can navigate through weak browser security, an
issue
 > Oligo says "stems from the inconsistent implementation of
security
 > mechanisms across different browsers, along with a lack of
standardization
 > in the browser industry."
 > 
 > Oligo stumbled across a security issue reported to Mozilla in 2006
that's
 > still open today, unfixed, despite multiple major issues between
then and
 > now. According to Oligo, "The bug report was closed, reopened,
then
 > prioritized-and will now remain open until Firefox implements
[Private
 > Network Access]."

It depends, and which Linux distros
and applications you need to update? 

I would rather Libre-wolf over fire fox any day.
 

This is a response to the post seen at:
http://www.jlaforums.com/viewtopic.php?p=671301521#671301521

[toc] | [prev] | [next] | [standalone]

#80299

Trimmed followups to alt.comp.software.firefox

In alt.comp.software.firefox Enrico Papaloma <enrico@papaloma.net> wrote:
> An 18-year-old browser exploit leaves MacBooks and Linux
> laptops vulnerable - but a fix is coming
> 
<snip>
> 
> It affects Chromium, Firefox, and Safari on laptops running macOS and
> Linux.

Also kind of on OpenBSD, but OpenBSD has something
in the kernel that fixes the issue.  This tells me
it may be an issue with the other BSDs also.

https://marc.info/?l=openbsd-ports&m=172318365826454&w=2

-- 
csh(1) - "An elegant shell, for a more... civilized age."
                     - Paraphrasing Star Wars

[toc] | [prev] | [standalone]

Back to top | Article view | alt.os.linux

csiph-web