Thursday, 16 June 2011 19:25

More security problems for WebGL

By Liz Hartney

Context highlights additional WebGL vulnerabilities and raises more questions for Khronos

16 June 2011: Researchers at Context Information Security who exposed security flaws in WebGL last month have identified further concerns about early implementations of the new technology that allows web pages to draw fast 3D graphics to deliver a much richer experience to web users. In one example, a vulnerability in the Mozilla Firefox browser made it possible for malicious web pages to capture any screenshot from a target PC - including the user's desktop, other web pages or applications. By revealing that none of the current implementations comply with WebGL conformance standards, Context also raises serious questions for Khronos, the consortium which has drawn up the WebGL specification and conformance tests.

The findings are published today along with videos in a Context blog at:

Context's original investigations discovered design level security issues that provide a 'back-door' to low-level parts of the operating system via some graphics cards, which were never designed to defend against this type of threat. Following further investigations, Context researchers have discovered that neither Chrome nor Firefox passed the 144 Khronos conformance tests for WebGL, including a number that are directly related to security.

'While Mozilla has taken steps to mitigate the original vulnerabilities and will fix this latest threat in the new version of its browser, scheduled for release on 21 June, we believe this is the tip of the iceberg for the difficult adoption of this immature technology, leaving users vulnerable,' says Michael Jordon, Research and Development Manager at Context.

'The fact that security-related Khronos conformance tests are not clearly identified has been a contributory factor in security issues being missed by developers of the current browser implementations of WebGL,' adds Jordon. 'It would be unreasonable to expect full conformance to the complete specification of any new standard but some areas of WebGL need to be carefully implemented to prevent security issues arising. Browser developers should now start banning non-conformant configurations as they are identified until the security issues that have been highlighted are resolved.'

Context's research also found that Khronos' recommended defence against the Denial of Service issue, WebGL_ARB_robustness, is not fit for purpose. It is only supported by certain chipsets and operating systems such as NVidia on Windows and Linux, and the extension only offers mitigation and not a comprehensive solution to WebGLDoS issues.

The risks from WebGL depend on the web browser, operating system and graphics card being used. WebGL is currently supported only on Firefox and Chrome and currently users of Internet Explorer, Safari or Opera are not vulnerable to WebGL issues. 'We would advise anyone at risk to disable WebGL until the security vulnerabilities have been addressed,' added Jordon. 'We have been working with developers of the Firefox plug-in NoScript to include support to selectively disable WebGL and would recommend this plug-in to protect users from malicious Internet content.'

The full Context blog including two videos can be seen at:

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News