Is WebGL dangerous?

New graphics engines imperil users of Firefox and Chrome

 

Interesting...

 

If it is verified and patched quickly, I don't see how WebGL is worse than Flash.

 

Definitely seems worse than flash considering that OGL gives direct access to hardware and since graphics drivers are not created with security in mind. Flash at least gets security updates. Graphics drivers pretty much only ever get performance/ stability updates because up until very recently they've only been used for games. The API is wide open and allows a TON to be done with it. Whereas flash's API is far more closed by comparison.

 

Wide open API tend to be more secure than closed API. Look at Linux, FreeBSD, Chrome, etc.

 

Chrome's extension API is quite closed. Same goes for the API that chrome is pushing for flash.

Open API means fewer limits.

And again, this isn't even to mention the fact that exlpoiting OGL means direct access to a hardware component. The reason this is a big deal is not because of the fact that they can exploit it it's because when they do exploit it they'll gain access to critical system parts.

 

Mozilla disables Firefox 5 WebGL's cross domain textures - update

 

https://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx

 

Firefox web 3D engine fosters image theft bug

"An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned." :

http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/

 

Re: Firefox web 3D engine fosters image theft bug

Is Chrome also vulnerable?

 

Re: Firefox web 3D engine fosters image theft bug

No, but the article describes how you can disable webgl in Chrome, advice which I've followed.

 

Re: Firefox web 3D engine fosters image theft bug

I'm just not even slightly worried about WGL exploits because we haven't seen anyone actually make use of one yet.

 

Why risk it ? You know how ingenious some of the baddies are these days, any which way they can to get in, they will try !

You can disable it with NoScript

 

WebGL needs javascript to initiate, no? I have javascript on a whitelist. Honestly, that's about as much work as I'm willing to put into protecting myself from a new vulnerability that hasn't been utilized once publicly.

 

I think it's not a big issue, not because the exploits aren't out there, but simply because WebGL is barely used anywhere period. It's just yet another case of browser makers adding in new things that will take the web, as a whole, years to adopt. And, since browser vendors now have this "me too" obsession, they'll all have this risk to contend with.

 

More on the WebGL story:
http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/

 

Mozilla Security: Blog WebGL graphics memory stealing issue
06.16.11 - 06:44pm
http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/

Issue
There is a specific security issue with the WebGL implementation in Firefox 4.

Impact to users
This issue allows attackers to capture screen shots of private or confidential information.

Status
Mozilla is aware of this bug and has issued a fix that will be released with the next version of Firefox, tentatively scheduled for June 21.

This is a Firefox-specific implementation issue not a WebGL specification issue.

In the interim, to protect themselves users can update to Firefox Beta or temporarily disable WebGL.

To disable WebGL, in Firefox go to about:config and set webgl.disabled to true.

Credit
The bug was reported by Context.

 

As safe as technology that allows you to run 3rd party commands/scripts against a subsystem on your machine, like active X or Java applets.

Question is what attack vectors are there via the Open GL drivers ?
Its been over 10 years since I wrote any Open GL, but the API did not appear to have any direct access to the rest of the system, I suspect that all can be done are exploits which means its down to the underlying video sub system as what the range of potential exploitation and means security being tighten up by the driver developers or possible browser developers who develop some filtering and protection (e.g. block dangerous webgl command).

Cheers, Nick

 

The argument continues:
http://www.h-online.com/security/news/item/Mozilla-rejects-Microsoft-s-WebGL-criticism-1263986.html

and more, this time supposedly by an employee of MS in a private blog:
Microsoft's WebGL claims bashed by own employee

 

I think Microsoft's concerns about WebGL are basically a PR move to protect the company's interests. WebGL itself is no more or less dangerous than Flash right now. Heck, most of the vulnerabilites will be with the software and not with the graphics drivers. In any case, most video card giants like Intel, NVIDIA and AMD release drivers at least on a tri-monthly basis.

Microsoft's real concern lies with the word "lifecycle". Since any future vulnerabilities will involve Microsoft having to patch it for older versions of IE as well as older versions of Windows (which they'd happily be willing to drop support for once the lifecycle is up), they don't like it.

 

Really? Does flash give you direct access to GPU metal? I highly doubt it.

So? Video drivers are amongst the most non-updated software around, add to that the people that are forced to use older versions due to FPS issues with newer versions. Also, you can't just start patching video drivers for security, they are designed for maximum performance, this is a big worry with WebGL also.

The Steam Hardware & Software Survey gives a good idea of how people are with updating video drivers, with some dating back to 2008. Considering Steam is a gaming platform, the kind of people who are generally more aware of what video driver updates are, you simply cannot pull the "just update the video drivers" excuse.

If Flash and Silverlight can be designed to give a better balance between security and gaming efficiency then surely a version of WebGL can do so, in my opinion.

 

nVidia and AMD release them monthly. And there are already ways to secure OGL that the article mentioned it's just a matter of updating to the most recent drivers.

"Just update the video drivers" is a plenty valid "excuse." Keeping your software up to date is a perfectly valid form of mitigation that more people need to pay attention to.

 

Yes, it's valid. But, it's also a valid "excuse" that if new breaks what old didn't, then people will revert to old.

We're living in a world, that's what it is.