Is WebGL dangerous?

Discussion in 'other software & services' started by vasa1, May 11, 2011.

Thread Status:
Not open for further replies.
  1. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,796
    Location:
    Texas
    http://www.h-online.com/security/news/item/Khronos-respond-to-WebGL-security-report-1241304.html
     
  3. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Interesting...
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    If it is verified and patched quickly, I don't see how WebGL is worse than Flash.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Definitely seems worse than flash considering that OGL gives direct access to hardware and since graphics drivers are not created with security in mind. Flash at least gets security updates. Graphics drivers pretty much only ever get performance/ stability updates because up until very recently they've only been used for games. The API is wide open and allows a TON to be done with it. Whereas flash's API is far more closed by comparison.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wide open API tend to be more secure than closed API. Look at Linux, FreeBSD, Chrome, etc.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome's extension API is quite closed. Same goes for the API that chrome is pushing for flash.

    Open API means fewer limits.

    And again, this isn't even to mention the fact that exlpoiting OGL means direct access to a hardware component. The reason this is a big deal is not because of the fact that they can exploit it it's because when they do exploit it they'll gain access to critical system parts.
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    https://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx
     
  10. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,198
    Location:
    Surrey, England.
    Firefox web 3D engine fosters image theft bug

    "An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned." :

    http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Re: Firefox web 3D engine fosters image theft bug

    Is Chrome also vulnerable?
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic!
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Re: Firefox web 3D engine fosters image theft bug

    No, but the article describes how you can disable webgl in Chrome, advice which I've followed.

     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Firefox web 3D engine fosters image theft bug

    I'm just not even slightly worried about WGL exploits because we haven't seen anyone actually make use of one yet.
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Why risk it ? You know how ingenious some of the baddies are these days, any which way they can to get in, they will try !

    You can disable it with NoScript :)

    gl.gif
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    WebGL needs javascript to initiate, no? I have javascript on a whitelist. Honestly, that's about as much work as I'm willing to put into protecting myself from a new vulnerability that hasn't been utilized once publicly.
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I think it's not a big issue, not because the exploits aren't out there, but simply because WebGL is barely used anywhere period. It's just yet another case of browser makers adding in new things that will take the web, as a whole, years to adopt. And, since browser vendors now have this "me too" obsession, they'll all have this risk to contend with.
     
  18. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    More on the WebGL story:
    http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/

     
  19. chachazz

    chachazz Updates Team

    Joined:
    Apr 23, 2004
    Posts:
    840
    Mozilla Security: Blog WebGL graphics memory stealing issue
    06.16.11 - 06:44pm
    http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/

    Issue
    There is a specific security issue with the WebGL implementation in Firefox 4.

    Impact to users
    This issue allows attackers to capture screen shots of private or confidential information.

    Status
    Mozilla is aware of this bug and has issued a fix that will be released with the next version of Firefox, tentatively scheduled for June 21.

    This is a Firefox-specific implementation issue not a WebGL specification issue.

    In the interim, to protect themselves users can update to Firefox Beta or temporarily disable WebGL.

    To disable WebGL, in Firefox go to about:config and set webgl.disabled to true.

    Credit
    The bug was reported by Context.
     
  20. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    As safe as technology that allows you to run 3rd party commands/scripts against a subsystem on your machine, like active X or Java applets.

    Question is what attack vectors are there via the Open GL drivers ?
    Its been over 10 years since I wrote any Open GL, but the API did not appear to have any direct access to the rest of the system, I suspect that all can be done are exploits which means its down to the underlying video sub system as what the range of potential exploitation and means security being tighten up by the driver developers or possible browser developers who develop some filtering and protection (e.g. block dangerous webgl command).

    Cheers, Nick
     
  21. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    The argument continues:
    http://www.h-online.com/security/news/item/Mozilla-rejects-Microsoft-s-WebGL-criticism-1263986.html
    and more, this time supposedly by an employee of MS in a private blog:
    Microsoft's WebGL claims bashed by own employee
     
    Last edited: Jun 20, 2011
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I think Microsoft's concerns about WebGL are basically a PR move to protect the company's interests. WebGL itself is no more or less dangerous than Flash right now. Heck, most of the vulnerabilites will be with the software and not with the graphics drivers. In any case, most video card giants like Intel, NVIDIA and AMD release drivers at least on a tri-monthly basis.

    Microsoft's real concern lies with the word "lifecycle". Since any future vulnerabilities will involve Microsoft having to patch it for older versions of IE as well as older versions of Windows (which they'd happily be willing to drop support for once the lifecycle is up), they don't like it.
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Really? Does flash give you direct access to GPU metal? I highly doubt it.

    So? Video drivers are amongst the most non-updated software around, add to that the people that are forced to use older versions due to FPS issues with newer versions. Also, you can't just start patching video drivers for security, they are designed for maximum performance, this is a big worry with WebGL also.

    The Steam Hardware & Software Survey gives a good idea of how people are with updating video drivers, with some dating back to 2008. Considering Steam is a gaming platform, the kind of people who are generally more aware of what video driver updates are, you simply cannot pull the "just update the video drivers" excuse.

    If Flash and Silverlight can be designed to give a better balance between security and gaming efficiency then surely a version of WebGL can do so, in my opinion.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    nVidia and AMD release them monthly. And there are already ways to secure OGL that the article mentioned it's just a matter of updating to the most recent drivers.

    "Just update the video drivers" is a plenty valid "excuse." Keeping your software up to date is a perfectly valid form of mitigation that more people need to pay attention to.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, it's valid. But, it's also a valid "excuse" that if new breaks what old didn't, then people will revert to old.

    We're living in a o_O world, that's what it is. :-* ;)
     
Loading...
Thread Status:
Not open for further replies.