Thomas Brewster / Forbes: Researchers: hackers have used an 18-year-old flaw in how Safari, Chrome, and Firefox on macOS handle queries to a 0.0.0.0 IP address to breach private networks — Weaknesses in Chrome, Firefox and Safari gave hackers a route into internal networks, even those protected by firewalls, security researchers warn.
Reading the article from the researchers it looks like these requests are specifically made using JavaScript, so maybe disable it? Maybe there’s a way to block JavaScript from making any requests of 0.0.0.0? Or start using a Chromium browser? It’s going to start rolling out as a trial beginning with version 128 and expected to be shipping by version 133. There’s been an open bug report for this in Firefox since 2006 but there’s been a debate about whether it was really an issue or not so it was closed and reopened several times and it sounds like they might have to add support for a whole new protocol that’s only a proposal and not a W3C standard or even on the standards track. I’m guessing this might not be fixed in Firefox very quickly.
If I use a browser based on Firefox (like Waterfox, Librewolf, or Ghostery) would that browser need to wait for Mozilla to fix it and inherit their fix, or could they address it in their own version of Firefox?