More threads by David Baxter PhD

David Baxter PhD

Late Founder
Microsoft calls graphics technology in Chrome and Firefox "harmful"
By Ed Bott, ZDNet
June 17, 2011
In an unusually blunt statement, Microsoft has announced that it considers the Khronos Group’s WebGL graphics technology too dangerous to support in Windows.

Currently, both Google Chrome and Mozilla Firefox are shipping with support for WebGL. Google calls it “the most powerful way to add 3D graphics to web pages” and encourages developers to “experiment with graphics programming.” Mozilla pitches WebGL as ideal for “interactive 3D games, vivid graphics and new visual experiences for the Web without the use of third-party plug-ins.”

Microsoft’s announcement, WebGL Considered Harmful, was published on the official blog of the Microsoft Security Response Center (MSRC) and signed by MSRC Engineering. It was posted by swiat, which is short for Secure Windows Initiative Attack Team, the group that is responsible for the security architecture of Windows and other Microsoft products.

The statement comes on the heels of a pair of reports from Context Information Security that described “serious design flaws” and “security issues” in WebGL. The most recent post included a demonstration of how to steal user data through a web browser.

Microsoft threw all its security muscle behind some very strongly stated conclusions:

One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at WebGL. Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements.

[…]
We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.

The report argues that browser support for WebGL “directly exposes hardware functionality to the web in a way that we consider to be overly permissive.” Graphics drivers can’t be depended on to uphold security guarantees, and there’s no workable security servicing model for video card drivers. Given the prevalence of attacks using third-party vulnerabilities (Adobe Flash files and Java apps, for example), that seems like a legitimate concern.

Microsoft also contends that the use of WebGL enables denial-of-service scenarios that would make it “possible for any web site to freeze or reboot systems at will.”

In an e-mailed statement, Ari Bixhorn of Microsoft’s Internet Explorer team took a direct swipe at its competition:

Customers need to understand that the security of their computers is at risk when they browse the web using Google Chrome and Firefox. Because these browsers support WebGL, they open a door for malicious websites to access one of the most secure parts of a person’s computer. With security holes like this, it’s clear that WebGL isn’t ready for primetime, and that people shouldn’t be using a browser that supports it. This is why the Microsoft Security Response Center recently recommended against the use of WebGL in Microsoft products like Internet Explorer.

In a response to other media outlets, Khronos Group downplays security concerns, suggesting that browser vendors are still working toward passing a WebGL conformance suite and that the demonstrated security issue is “due to a bug in Firefox’s WebGL implementation.” That bug is reportedly resolved in Firefox 5, which is due for release before the end of the month.

A Khronos Group spokesperson declined to respond directly to Microsoft’s report but noted that Mozilla, Firefox, and Opera all strongly support WebGL, and Apple has announced limited support for WebGL in iOS 5.

A Google spokesperson said the company doesn’t see WebGL as a significatn threat to its users. Many parts of the WebGL stack, including the GPU process, “run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks,” the spokesperson added. Google says it can ward off lower level attacks by working with hardware, OS, and driver vendors to disable WebGL on system configurations that are found to be unsafe.
 

David Baxter PhD

Late Founder
Microsoft is right to label WebGL harmful

Microsoft is right to label WebGL 'harmful'
By Adrian Kingsley-Hughes, ZDNet
June 17, 2011

While Firefox and Chrome browsers already support WebGL, along with development versions of Opera and Safari, Microsoft has said that it has no plans to make Internet Explorer support the 3D graphics software library, and branded it a ‘harmful‘ technology.

Microsoft’s right.

Note
: Mozilla were the original authors of WebGL but the project is now handled by the not-for-profit consortium The Khronos Group.

Now don’t get me wrong, you can do cool stuff with WebGL. Really cool, impressive stuff that allows web browsers to deliver 3D graphics along the lines of a computer game. But the problem is that while you can do some really cool stuff with WebGL, because the technology gives web sites direct access the to low-level hardware functions, bad things can be done with it too.

Microsoft has outlined its concerns over WebGL pretty clearly:

“The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before,” Microsoft’s engineer claims. “Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern.

These are all valid points. Driver security would be a major issue, and it’s something that people haven’t needed to worry about that much up until now. OEMs would need to significantly harden their drivers, while system using old, insecure drivers would need to be blocked from being able to make use of WebGL altogether until the drivers could be updated, or permanently if the hardware is end-of-life. Given the huge market share that Internet Explorer commands, and the wide array of platforms that the browser runs on, Microsoft is, I think, doing the right thing in playing it safe.

But wasn’t Microsoft the company that unleashed ActiveX onto unsuspecting Web users? Sure it was. Web-based ActiveX controls were a really bad idea, but I’d like to think that the company has learned from previous mistakes. There’s no way that Microsoft would bake a technology like ActiveX into the browser given the current security pressures on the browser.

But how bad is WebGL? Security firm Context has found a number of issues with WebGL, two of which stand out:
  • Document leakage via memory theft
  • Denial of Service (DoS)
Pretty serious stuff. Overall, Context is pretty damning of WebGL, even critical of the mechanism designed to protect users from DoS attacks:

Furthermore, Context’s research found that Khronos’ recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose. First, only certain chipsets and operating systems (NVidia on Windows and Linux) support this feature. Moreover, this extension only offers mitigation, not a comprehensive solution to WebGL DoS issues.

While there are undoubtedly upsides to WebGL, the downsides are a major worry. WebGL security will undoubtedly improve as time goes on, bit for now Microsoft made the right choice to give it a wide berth.
 
Replying is not possible. This forum is only available as an archive.
Top