Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.os.linux > #80305

Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable

Message-ID <66b93e34@news.ausics.net> (permalink)
From not@telling.you.invalid (Computer Nerd Kev)
Subject Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable
Newsgroups alt.os.linux, alt.comp.software.firefox, alt.comp.os.windows-10
References <v93o5e$12pp$1@news.gegeweb.eu> <87y155csf1.fsf@sonera.fi>
Date 2024-08-12 08:41 +1000
Organization Ausics - https://newsgroups.ausics.net

Cross-posted to 3 groups.

Show all headers | View raw

In alt.comp.software.firefox Jukka Lahtinen <jtfjdehf@hotmail.com.invalid> wrote:
> Enrico Papaloma <enrico@papaloma.net> writes:
> 
>> It affects Chromium, Firefox, and Safari on laptops running macOS and
>> Linux.
> 
> I'm curious: why only laptops?

Not only laptops, the article's author must have just forgotten
that desktop PCs exist.

> Does it detect some hardware difference between laptop and desktop?

No it's a standard behaviour of the OSs on whatever platform they
run. As the Wikipedia page says:
"In Linux a program may specify 0.0.0.0 as the remote address to 
 connect to the current host (AKA localhost)."
  https://en.wikipedia.org/wiki/0.0.0.0

It seems that MacOS inherited that behaviour too.

The trouble is that to prevent Javascript on websites from snooping
on services running on localhost, browsers implemented blocks for
requests to the usual localhost IP addresses that start with
"127.". They forgot, probably because they're Windows-centric, that
0.0.0.0 works the same way on Linux and similar OSs, so nasty
scripts could just use that instead of the usual 127.0.0.1.

It's not really a big security vulnerability, which is probably why
developers have been lazy about fixing it even though the fix would
be ridiculously easy. I'd argue it's a demonstration of why allowing
unknown Javascript on websites to talk to whatever IP address they
want to from your browser is a terrible idea in the first place, but
that ship has definitely sailed and by running NoScript I regularly
see how many websites rely on such behaviour now.

-- 
__          __
#_ < |\| |< _#

Back to alt.os.linux | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable Enrico Papaloma <enrico@papaloma.net> - 2024-08-08 17:33 -0700
  Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable Jukka Lahtinen <jtfjdehf@hotmail.com.invalid> - 2024-08-10 00:12 +0300
    Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable not@telling.you.invalid (Computer Nerd Kev) - 2024-08-12 08:41 +1000
      Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable danmin@danminart-dot-com.no-spam.invalid (Danart) - 2024-08-29 10:57 +0000
  Re: An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable John McCue <jmccue@qball.jmcunx.com> - 2024-08-09 22:43 +0000

csiph-web