|
|
WebGL is a feature of current versions of Firefox and Chrome.
Last month, Context Information Security raised the possibility of creating malicious WebGL components that exploit vulnerabilities in graphics drivers. WebGL generates code and data that is executed by the computer's GPU (graphics processing unit).
"Considering the complexity of the drivers and hardware interactions it seems hard to believe that there has never been an exploitable bug in their [ATI's or Nvidia's] software which needed immediate remediation," noted Context. Furthermore, the company noted that the vendor's reference driver is typically blocked from installing on laptops and so any security-related updates are harder than necessary to deploy.
Potential exploits include denial of service (eg, by tying up the GPU for extended periods, or by causing a complete crash), and Context pointed out that WebGL project manager Khronos provides sample code in the SDK which serves as a proof of concept for this issue. Context itself offers a proof of concept for cross-domain image theft via WebGL.
How did Khronos respond? What did US-CERT and Microsoft have to say about WebGL? Please read on.
|
However, the US-CERT issued a statement encouraging "users and administrators to review the Context report and disable WebGL to help mitigate the risks."
Now Microsoft has waded into the debate. Under the headline "WebGL Considered Harmful", the company's Security Response Center says it has conducted its own analysis and concluded that "Microsoft products supporting WebGL would have difficulty passing Microsoft's Security Development Lifecycle requirements."
Particular issued identified include the "overly permissive' exposure of hardware functionality to web content, the reliance on third parties (component and computer vendors) for security updates to graphics drivers, and problematic denial-of-service scenarios.
Context now claims "neither Chrome nor Firefox passed the 144 Khronos conformance tests for WebGL, including a number that are directly related to security."
Michael Jordon, R&D manager at Context, said "It would be unreasonable to expect full conformance to the complete specification of any new standard but some areas of WebGL need to be carefully implemented to prevent security issues arising. Browser developers should now start banning non-conformant configurations as they are identified until the security issues that have been highlighted are resolved."
"Context would advise anyone at risk to disable WebGL until the security vulnerabilities have been addressed. Context has been working with developers of the Firefox plug-in NoScript to include support to selectively disable WebGL and would recommend this plug-in to protect users from malicious Internet content," he added.
