About a month ago, I posted a note here about some security concerns with the new WebGL graphics API, designed to allow browsers that support the HTML 5 standard to produce 2-D and 3-D graphics without the use of plugins. Context Information Security, a security consulting firm based in the UK, had published a report outlining some potentially serious security problems in both the design and the implementation of WebGL.
This past week, Microsoft, in a post on its Security Research and Defense blog, said that it, too, had security concerns about WebGL — concerns sufficiently serious that:
In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.
The post outlined three major areas of concern:
- WebGL support in browsers exposes a large new attack surface to malicious code, not only in the API itself, but also in lower-level code that was never designed to be accessed directly by applications. (In the browser context, this is even more serious, since the applications may not be local, but loaded from a Web server.)
- Security support for WebGL requires an effective security maintenance process not only from the browser and API suppliers, but also from OEMs who supply drivers for their graphics cards. Users are not accustomed to worrying about whether their device drivers are up to date, and the vendors are not used to having to supply time-critical updates.
- WebGL provides substantial scope for Denial-of-Service [DoS[ attacks. It may not be possible to mitigate these treats adequately for critical systems.
Context Information Security has also released a follow-up report, in which they examined the current implementations of WebGL in the Firefox and Chrome browsers, on a variety of platforms. Context looked at how well the current implementations performed against the test suite provided by the Khronos Group, developers of the WebGL specification. The results were not entirely reassuring.
Context identified … issues with WebGL by evaluating Chrome and Firefox WebGL implementations against the conformance test suite devised by Khronos, the consortium which draws up the WebGL specification. We have established that none of the current implementations comply with this standard.
They also argue that some parts of the standard itself are deficient.
Context’s research found that Khronos’ recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose.
The defense is only supported by certain combinations of graphics chipset and operating system (nVidia on Windows or Linux), and is only a mitigation, not a complete fix.
The Context report also has illustrations of a DoS attack, and of the possibility of malware that can copy information from other windows on the desktop.
The vulnerability we discovered enables any graphics image that has been displayed on the system to be stolen by an attacker by reading uninitialised data from graphics memory. This is not limited to WebGL content but includes other web pages, a user’s desktop and other applications.
In other words, a malicious WebGL application in the browser might be able to copy confidential information that was displayed by an entirely different application.
As the Context report notes, it is not reasonable to expect a new technology, such as WebGL, to spring into existence without any flaws or deficiencies; but the potential problems with WebGL seem more serious than usual. It seems to me that caution should be the order of the day.