1. Forum
  2. Newsgroups
  3. alt.os.linux

  • An 18-year-old browser exploit named The 0.0.0.0 Day Vulnerability leaves Linux laptops running Chromium & Firefox vulnerable

    From Enrico Papaloma@enrico@papaloma.net to alt.os.linux,alt.comp.software.firefox,alt.comp.os.windows-10 on Thu Aug 8 17:33:49 2024
    From Newsgroup: alt.os.linux

    An 18-year-old browser exploit leaves MacBooks and Linux laptops vulnerable
    - but a fix is coming

    On Wednesday, Microsoft updated the Microsoft Edge Security Updates page to read: "Microsoft is aware of the recent Chromium security fixes. We are actively working on releasing a security fix."

    https://www.laptopmag.com/laptops/an-18-year-old-browser-exploit-leaves-macbooks-and-linux-laptops-vulnerable-but-a-fix-is-coming

    It affects Chromium, Firefox, and Safari on laptops running macOS and
    Linux.

    Sometimes, we've seen big companies take up to a few months to fix a
    glaring bug, risk, or other issue within an OS or a browser, but usually, issues are fixed within days or weeks. However, a vulnerability recently brought up by Oligo Security has gone without a fix for much longer: 18
    years.

    It affects Chromium, Firefox, and Safari on laptops running macOS and
    Linux.

    This vulnerability - referred to by Oligo as the "0.0.0.0 Day" vulnerability-allows for remote code execution via a local network through
    a public website. And here's the scary part: it affects Chromium, Firefox,
    and Safari on laptops running macOS and Linux.

    Malicious websites can navigate through weak browser security, an issue
    Oligo says "stems from the inconsistent implementation of security
    mechanisms across different browsers, along with a lack of standardization
    in the browser industry."

    Oligo stumbled across a security issue reported to Mozilla in 2006 that's
    still open today, unfixed, despite multiple major issues between then and
    now. According to Oligo, "The bug report was closed, reopened, then prioritized-and will now remain open until Firefox implements [Private
    Network Access]."
    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From Jukka Lahtinen@jtfjdehf@hotmail.com.invalid to alt.os.linux,alt.comp.software.firefox,alt.comp.os.windows-10 on Sat Aug 10 00:12:02 2024
    From Newsgroup: alt.os.linux

    Enrico Papaloma <enrico@papaloma.net> writes:

    It affects Chromium, Firefox, and Safari on laptops running macOS and
    Linux.

    I'm curious: why only laptops?
    Does it detect some hardware difference between laptop and desktop?
    --
    Jukka Lahtinen
    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From John McCue@jmccue@qball.jmcunx.com to alt.os.linux,alt.comp.software.firefox,alt.comp.os.windows-10 on Fri Aug 9 22:43:29 2024
    From Newsgroup: alt.os.linux

    Trimmed followups to alt.comp.software.firefox

    In alt.comp.software.firefox Enrico Papaloma <enrico@papaloma.net> wrote:
    An 18-year-old browser exploit leaves MacBooks and Linux
    laptops vulnerable - but a fix is coming

    <snip>

    It affects Chromium, Firefox, and Safari on laptops running macOS and
    Linux.

    Also kind of on OpenBSD, but OpenBSD has something
    in the kernel that fixes the issue. This tells me
    it may be an issue with the other BSDs also.

    https://marc.info/?l=openbsd-ports&m=172318365826454&w=2
    --
    csh(1) - "An elegant shell, for a more... civilized age."
    - Paraphrasing Star Wars
    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From not@not@telling.you.invalid (Computer Nerd Kev) to alt.os.linux,alt.comp.software.firefox,alt.comp.os.windows-10 on Mon Aug 12 08:41:56 2024
    From Newsgroup: alt.os.linux

    In alt.comp.software.firefox Jukka Lahtinen <jtfjdehf@hotmail.com.invalid> wrote:
    Enrico Papaloma <enrico@papaloma.net> writes:

    It affects Chromium, Firefox, and Safari on laptops running macOS and
    Linux.

    I'm curious: why only laptops?

    Not only laptops, the article's author must have just forgotten
    that desktop PCs exist.

    Does it detect some hardware difference between laptop and desktop?

    No it's a standard behaviour of the OSs on whatever platform they
    run. As the Wikipedia page says:
    "In Linux a program may specify 0.0.0.0 as the remote address to
    connect to the current host (AKA localhost)."
    https://en.wikipedia.org/wiki/0.0.0.0

    It seems that MacOS inherited that behaviour too.

    The trouble is that to prevent Javascript on websites from snooping
    on services running on localhost, browsers implemented blocks for
    requests to the usual localhost IP addresses that start with
    "127.". They forgot, probably because they're Windows-centric, that
    0.0.0.0 works the same way on Linux and similar OSs, so nasty
    scripts could just use that instead of the usual 127.0.0.1.

    It's not really a big security vulnerability, which is probably why
    developers have been lazy about fixing it even though the fix would
    be ridiculously easy. I'd argue it's a demonstration of why allowing
    unknown Javascript on websites to talk to whatever IP address they
    want to from your browser is a terrible idea in the first place, but
    that ship has definitely sailed and by running NoScript I regularly
    see how many websites rely on such behaviour now.
    --
    __ __
    #_ < |\| |< _#
    --- Synchronet 3.20a-Linux NewsLink 1.114
  • From danmin@danmin@danminart-dot-com.no-spam.invalid (Danart) to alt.os.linux on Thu Aug 29 10:57:23 2024
    From Newsgroup: alt.os.linux


    Enrico Papaloma wrote:
    An 18-year-old browser exploit leaves MacBooks and Linux laptops
    vulnerable
    - but a fix is coming

    On Wednesday, Microsoft updated the Microsoft Edge Security Updates
    page to
    read: "Microsoft is aware of the recent Chromium security
    fixes. We are
    actively working on releasing a security fix."


    https://www.laptopmag.com/laptops/an-18-year-old-browser-exploit-leaves-macbooks-and-linux-laptops-vulnerable-but-a-fix-is-coming

    It affects Chromium, Firefox, and Safari on laptops running macOS
    and
    Linux.

    Sometimes, we've seen big companies take up to a few months to fix
    a
    glaring bug, risk, or other issue within an OS or a browser, but
    usually,
    issues are fixed within days or weeks. However, a vulnerability
    recently
    brought up by Oligo Security has gone without a fix for much
    longer: 18
    years.

    It affects Chromium, Firefox, and Safari on laptops running macOS
    and
    Linux.

    This vulnerability - referred to by Oligo as the "0.0.0.0
    Day"
    vulnerability-allows for remote code execution via a local network
    through
    a public website. And here's the scary part: it affects Chromium,
    Firefox,
    and Safari on laptops running macOS and Linux.

    Malicious websites can navigate through weak browser security, an
    issue
    Oligo says "stems from the inconsistent implementation of
    security
    mechanisms across different browsers, along with a lack of
    standardization
    in the browser industry."

    Oligo stumbled across a security issue reported to Mozilla in 2006
    that's
    still open today, unfixed, despite multiple major issues between
    then and
    now. According to Oligo, "The bug report was closed, reopened,
    then
    prioritized-and will now remain open until Firefox implements
    [Private
    Network Access]."

    It depends, and which Linux distros
    and applications you need to update?

    I would rather Libre-wolf over fire fox any day.


    This is a response to the post seen at: http://www.jlaforums.com/viewtopic.php?p=671301521#671301521


    --- Synchronet 3.20a-Linux NewsLink 1.114