WebGL gets a bad rap

Stephen Withers
Friday, 17 June 2011 14:59

Business IT - Security

WebGL - a technology designed to allow the generation of interactive 3D graphics in JavaScript - is attracting growing criticism from a security perspective.

WebGL allows hardware-accelerated 3D graphics within a browser window. It works with JavaScript, and avoids the need for plug-ins or other add-on software.

WebGL is a feature of current versions of Firefox and Chrome.

Last month, Context Information Security raised the possibility of creating malicious WebGL components that exploit vulnerabilities in graphics drivers. WebGL generates code and data that is executed by the computer's GPU (graphics processing unit).

"Considering the complexity of the drivers and hardware interactions it seems hard to believe that there has never been an exploitable bug in their  [ATI's or Nvidia's] software which needed immediate remediation," noted Context. Furthermore, the company noted that the vendor's reference driver is typically blocked from installing on laptops and so any security-related updates are harder than necessary to deploy.

Potential exploits include denial of service (eg, by tying up the GPU for extended periods, or by causing a complete crash), and Context pointed out that WebGL project manager Khronos provides sample code in the SDK which serves as a proof of concept for this issue. Context itself offers a proof of concept for cross-domain image theft via WebGL.

How did Khronos respond? What did US-CERT and Microsoft have to say about WebGL? Please read on.