New graphics engines imperil users of Firefox and Chrome (http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/)

-{ Quote: "Khronos respond to WebGL security report

On the claim that WebGL makes it easier to perform denial of service and memory access attacks, Khronos says that an extension to OpenGL, GL_ARB_robustness, is specifically designed to prevent those attacks. Approved in July 2010, GL_ARB_robustness was contributed to by developers from NVIDIA, Google, ARM, Apple and Mozilla. The GL_ARB_robustness extension has already been deployed by some GPU vendors and Khronos says it expects it to be "deployed rapidly by others". It suggests that browsers should check for the presence of the extension before enabling WebGL and that this would become the standard way of deploying WebGL "in the near future"." }-http://www.h-online.com/security/news/item/Khronos-respond-to-WebGL-security-report-1241304.html

Interesting...

If it is verified and patched quickly, I don't see how WebGL is worse than Flash.

Definitely seems worse than flash considering that OGL gives direct access to hardware and since graphics drivers are not created with security in mind. Flash at least gets security updates. Graphics drivers pretty much only ever get performance/ stability updates because up until very recently they've only been used for games. The API is wide open and allows a TON to be done with it. Whereas flash's API is far more closed by comparison.

Wide open API tend to be more secure than closed API. Look at Linux, FreeBSD, Chrome, etc.

Chrome's extension API is quite closed. Same goes for the API that chrome is pushing for flash.

Open API means fewer limits.

And again, this isn't even to mention the fact that exlpoiting OGL means direct access to a hardware component. The reason this is a big deal is not because of the fact that they can exploit it it's because when they do exploit it they'll gain access to critical system parts.

Mozilla disables Firefox 5 WebGL's cross domain textures - update (http://www.h-online.com/security/news/item/Mozilla-disables-Firefox-5-WebGL-s-cross-domain-textures-update-1257998.html)

-{ Quote: "Mozilla is disabling cross domain textures in Firefox 5's WebGL implementation after a researcher demonstrated an ability to abuse the capability." }-

-{ Quote: "Microsoft said on Thursday that it refuses to endorse WebGL from a security perspective.

The strong words came directly from Microsoft’s own security research and defines team. Microsoft’s MSRC engineering team has been analysing WebGL recently and concludes that Microsoft products supporting WebGL would “have difficulty” passing the company’s own Security Development Lifecycle requirements. The software giant highlighted the following concerns in a blog post on Thursday." }-

https://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx

"An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned." :

http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/

Is Chrome also vulnerable?

Merged Threads to Continue Same Topic!

-{ Quote: "Is Chrome also vulnerable?" }-

No, but the article describes how you can disable webgl in Chrome, advice which I've followed.

-{ Quote: "For Chrome on Windows pass the flag “--disable-webgl” when running the executable by changing the shortcut in the start menu. A user can right click on the chome shortcut, select properties and add the flag as per the following screenshot." }-

I'm just not even slightly worried about WGL exploits because we haven't seen anyone actually make use of one yet.

Why risk it ? You know how ingenious some of the baddies are these days, any which way they can to get in, they will try !

You can disable it with NoScript :)

227680

WebGL needs javascript to initiate, no? I have javascript on a whitelist. Honestly, that's about as much work as I'm willing to put into protecting myself from a new vulnerability that hasn't been utilized once publicly.

I think it's not a big issue, not because the exploits aren't out there, but simply because WebGL is barely used anywhere period. It's just yet another case of browser makers adding in new things that will take the web, as a whole, years to adopt. And, since browser vendors now have this "me too" obsession, they'll all have this risk to contend with.

More on the WebGL story:
http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/

-{ Quote: "A spokeswoman for Mozilla said the vulnerability will be fixed with the introduction of Firefox 5, due next week. A statement issued by representatives of Khronos, the firm that acts as the gatekeeper for the WebGL standard, said that the threat "is due to a bug in Firefox's WebGL implementation, and cannot be generalized across other browsers' WebGL implementations."" }-

Mozilla Security: Blog WebGL graphics memory stealing issue
06.16.11 - 06:44pm
http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/

Issue
There is a specific security issue with the WebGL implementation in Firefox 4.

Impact to users
This issue allows attackers to capture screen shots of private or confidential information.

Status
Mozilla is aware of this bug and has issued a fix that will be released with the next version of Firefox, tentatively scheduled for June 21.

This is a Firefox-specific implementation issue not a WebGL specification issue.

In the interim, to protect themselves users can update to Firefox Beta (http://www.mozilla.com/en-US/firefox/all-beta.html) or temporarily disable WebGL.

To disable WebGL, in Firefox go to about:config and set webgl.disabled to true.

Credit
The bug was reported by Context.

As safe as technology that allows you to run 3rd party commands/scripts against a subsystem on your machine, like active X or Java applets.

Question is what attack vectors are there via the Open GL drivers ?
Its been over 10 years since I wrote any Open GL, but the API did not appear to have any direct access to the rest of the system, I suspect that all can be done are exploits which means its down to the underlying video sub system as what the range of potential exploitation and means security being tighten up by the driver developers or possible browser developers who develop some filtering and protection (e.g. block dangerous webgl command).

Cheers, Nick

The argument continues:
http://www.h-online.com/security/news/item/Mozilla-rejects-Microsoft-s-WebGL-criticism-1263986.html
-{ Quote: "... parts of the application stack, such as font engines, video codecs and image libraries, have been exposed in the past when new capabilities have been added and that these new threats were then "modelled, understood and mitigated".
...
" }-

and more, this time supposedly by an employee of MS in a private blog:
Microsoft's WebGL claims bashed by own employee (http://www.theregister.co.uk/2011/06/20/webgl_/)
-{ Quote: "'Scare report' pooh poohed
... He ... said the risks were no greater than those posed by any new technology added to browsers, such as ActiveX controls, which for years were among the most exploited Internet Explorer browser component until Microsoft figured out a way to lock them down. ...
" }-

I think Microsoft's concerns about WebGL are basically a PR move to protect the company's interests. WebGL itself is no more or less dangerous than Flash right now. Heck, most of the vulnerabilites will be with the software and not with the graphics drivers. In any case, most video card giants like Intel, NVIDIA and AMD release drivers at least on a tri-monthly basis.

Microsoft's real concern lies with the word "lifecycle". Since any future vulnerabilities will involve Microsoft having to patch it for older versions of IE as well as older versions of Windows (which they'd happily be willing to drop support for once the lifecycle is up), they don't like it.

-{ Quote: "WebGL itself is no more or less dangerous than Flash right now" }-

Really? Does flash give you direct access to GPU metal? I highly doubt it.

-{ Quote: "In any case, most video card giants like Intel, NVIDIA and AMD release drivers at least on a tri-monthly basis." }-

So? Video drivers are amongst the most non-updated software around, add to that the people that are forced to use older versions due to FPS issues with newer versions. Also, you can't just start patching video drivers for security, they are designed for maximum performance, this is a big worry with WebGL also.

The Steam Hardware & Software Survey (http://store.steampowered.com/hwsurvey?platform=pc) gives a good idea of how people are with updating video drivers, with some dating back to 2008. Considering Steam is a gaming platform, the kind of people who are generally more aware of what video driver updates are, you simply cannot pull the "just update the video drivers" excuse.

If Flash and Silverlight can be designed to give a better balance between security and gaming efficiency then surely a version of WebGL can do so, in my opinion.

nVidia and AMD release them monthly. And there are already ways to secure OGL that the article mentioned it's just a matter of updating to the most recent drivers.

"Just update the video drivers" is a plenty valid "excuse." Keeping your software up to date is a perfectly valid form of mitigation that more people need to pay attention to.

-{ Quote: "[...]

"Just update the video drivers" is a plenty valid "excuse." Keeping your software up to date is a perfectly valid form of mitigation that more people need to pay attention to." }-

Yes, it's valid. But, it's also a valid "excuse" that if new breaks what old didn't, then people will revert to old.

We're living in a :wacko: world, that's what it is. :-* ;)

I'm against having to update hardware video drivers for browser activity. In my corporate environment, I want stability. I do not want to update working and stable hardware drivers every month so that I can securely run my web browser. It just doesn't make sense. If they make it modular, where I can deploy a separate installer to update security mechanisms for WebGL, then fine. Otherwise, I'm turning this off.

I use google chrome policy templates to disable it...

-{ Quote: "Keeping your software up to date is a perfectly valid form of mitigation that more people need to pay attention to." }-

Funny how you change your mind in less than a day, just earlier you said patching was useless (http://www.wilderssecurity.com/showpost.php?p=1891762&postcount=4). ;D

hpmnick, couldn't have put it better myself. Keeping updated video drivers just to run a browser is nuts, sacrificing gaming performance just to make them more secure is even worse.

-{ Quote: "Really? Does flash give you direct access to GPU metal? I highly doubt it." }-

The worst thing that can happen by direct access to the GPU metal is a BSOD (in terms of what may happen to a single computer). At best, any malicious code can attempt to exploit the driver and cause the system to crash by doing something with the graphics pipeline.

It cannot cause damage to hardware. It cannot launch some hidden process on the GPU because that needs to be on the memory anyway.

I agree that crashes may be a problem, but GPU drivers already have measures in place to "recover" the GPU in dangerous situations. There's no reason why they cannot modify it further to cover something like this.

I really do not see anything more harmful than what I've already seen, except for a new way to do the same old thing.

Note that flash itself can be hardware accelerated - what does this use? DXVA - another set of instructions incidentally using DirectX......this just uses OpenGL.

Like I said, same dangers, new methods.

Anyway, I'm not going to support or alienate WebGL in any way.....the fact is that it's just as problematic as, say, Microsoft Silverlight. Therefore, I really don't see Microsoft's reasoning here as everything else is just as vulnerable. And I think it's best to let the developers decide what to use for their sites/products. We, as end-users, will just use what is given (um, and hope for the best). :)

A good read here: http://games.greggman.com/game/webgl-security-and-microsoft-********/

(Interesting that silverlight has all the same issues including direct GPU access......and yet MS calls it secure?)

NOTE: in the above link, a word has been censored, please enter it in your browser - it's the word that starts with 'bulls'.

-{ Quote: "The worst thing that can happen by direct access to the GPU metal is a BSOD. At best, any malicious code can attempt to exploit the driver and cause the system to crash by doing something with the graphics pipeline.

It cannot cause damage to hardware. It cannot launch some hidden process on the GPU because that needs to be on the memory anyway.

I agree that crashes may be a problem, but GPU drivers already have measures in place to "recover" the GPU in dangerous situations. There's no reason why they cannot modify it further to cover something like this.

I really do not see anything more harmful than what I've already seen, except for a new way to do the same old thing.

Note that flash itself can be hardware accelerated - what does this use? DXVA - another set of instructions incidentally using DirectX......this just uses OpenGL.

Like I said, same dangers, new methods." }-

BSOD's happen because the system realizes that its reached an unstable state. Its very possible for small bits of code to be executed when this occurs. There have been quite a few vulnerabilities that have taken advantage of this..

While I'm not certain what protections there are against this happening, it definitely appears that this could turn into a bigger security flaw..

-{ Quote: "BSOD's happen because the system realizes that its reached an unstable state. Its very possible for small bits of code to be executed when this occurs. There have been quite a few vulnerabilities that have taken advantage of this..

While I'm not certain what protections there are against this happening, it definitely appears that this could turn into a bigger security flaw.." }-

It could, and it could not......But I think it deserves a chance. :)

Why ask is it dangerous when you could ask is it even needed? I've said it half a million times, but I still believe it's just another case of browsers being ahead of the web. Browsers vendors are all about HTML5 now, and how many places actually use it? They're all about hardware acceleration, but where is it being put to use? So now we have two browsers that are shown to be vulnerable ( but likely three, come on, Microsofts implementation can be exploited too and we all know it) now because of a technology that's barely being used and probably won't be widespread for some time to come. (still waiting on a "Flash-killer as well).

WebGL Security – Kill It Before It Grows?
-http://www.conceivablytech.com/8329/business/webgl-security-kill-it-before-it-grows-

I disabled it just to be on the safe side. In time we will see if there is a danger or not but for now it is better to be safe than sorry imo.

GMaps goes for WebGL (http://maps.google.com/support/bin/answer.py?hl=en&answer=1630790).

-{ Quote: "GMaps goes for WebGL (http://maps.google.com/support/bin/answer.py?hl=en&answer=1630790)." }-

Just tried Bing maps and it has the same smoothness and speed of the WebGL version of Google maps, switched over.

On a side note, Chrome 16 now has an option in about:flags to disable WebGL. :thumb:

-{ Quote: "Just tried Bing maps and it has the same smoothness and speed of the WebGL version of Google maps, switched over." }-

Well, GMaps is undoubtedly the best of its kind on the Web, unfortunately my notebook doesn't seem to be up to running it with GL. It probably doesn't support the shader rendering or something (it's only three years old). I didn't notice much difference between GL & non-GL on my desktop, although I would probably have to get a better graphics card to notice the difference. I'm really not that bothered at the moment. I am also a bit concerned about security exploits with WebGL (like everyone else lol). I hope that Google don't see this as the future of GMaps without a non-WebGL alternative.



-{ Quote: "On a side note, Chrome 16 now has an option in about:flags to disable WebGL. :thumb:" }-

Probably a good thing!

There will absolutely be a non-GL alternative. I can't see them removing it entirely until phones/etc can handle it.

I'm not too worried about Google Maps being hacked. WebGL does definitely concern me though.

-{ Quote: "There will absolutely be a non-GL alternative. I can't see them removing it entirely until phones/etc can handle it." }-

Good. I hope you're right.

-{ Quote: "I'm not too worried about Google Maps being hacked. WebGL does definitely concern me though." }-

Apparently it doesn't worry Google.

Well I wouldn't let it worry me if I were in there position. All they're doing is creating a WebGL site. That isn't horrible.

If that site gets hacked they could do something malicious with that WebGL but if the site were hacked they could insert WebGL anyways.

-{ Quote: "Well I wouldn't let it worry me if I were in there position. All they're doing is creating a WebGL site. That isn't horrible." }-

Not completely horrible. ;)

-{ Quote: "If that site gets hacked they could do something malicious with that WebGL but if the site were hacked they could insert WebGL anyways." }-

What makes WebGL any better than OpenGL or DirectX anyway?

WebGL is just OpenGL on the internet. Or that's one way to think of it. It's based on OpenGL and includes appropriate API's for working with the web via JS.

DirectX isn't necessarily more secure it's just not hooked up to the web - at least not that I know of.

I don't know of any projects to expand the DirectX API so that it can run within the browser.

So why is WebGL bad?

Well, it's direct access to the GPU, which is hardware/kernel level. The API wasn't really created with security in mind because it wasn't ever really used on the internet. So now you have a wide open API that goes straight to the lowest level on your computer and an exploit can potentially give access to literally everything.

Now it is connected to the web and they have to backtrack and implement some fixes. That has to happen on the driver side so it's up to ATI/nVidia to deal with it.

-{ Quote: "WebGL is just OpenGL on the internet. Or that's one way to think of it. It's based on OpenGL and includes appropriate API's for working with the web via JS.

DirectX isn't necessarily more secure it's just not hooked up to the web - at least not that I know of.

I don't know of any projects to expand the DirectX API so that it can run within the browser.

So why is WebGL bad?

Well, it's direct access to the GPU, which is hardware/kernel level. The API wasn't really created with security in mind because it wasn't ever really used on the internet. So now you have a wide open API that goes straight to the lowest level on your computer and an exploit can potentially give access to literally everything.

Now it is connected to the web and they have to backtrack and implement some fixes. That has to happen on the driver side so it's up to ATI/nVidia to deal with it." }-

OK, thanks for the concise précis. :thumb:

WebGL is only one worry if a site is hacked. Unless you disable absolutely all affected plugins, javascript, cookies, etc. and run virtualized, you are not safe.

What makes this more dangerous than hardware-accelerated Flash, SilverLight, etc.?

I got NoScript working with WebGL, very useful.

Flash has long been on the web. First came Flash then came hardware accelerated Flash.

This was the opposite way around for WebGL. First came OpenGL then came internet WebGL.

I do not know how well Sandboxie would do depending on the attack. Sandboxie 64bit has kernel-level drawbacks and this would be a kernel-level exploit.

In a generic attack you'd probably be fine. In a targetted attack maybe not.

I'd also bet that even GPU accelerated layers like Flash are still living almost entirely on the Application layer, which isn't nearly as dangerous.