WebGL flaws hit Firefox and Chrome


Web users have been told to turn off the WebGL 3D rendering engine in Firefox 4 and Google Chrome due to security issues.

The US Computer Emergency Readiness Team (US-CERT) recommended users turn off WebGL, designed to display 3D graphics in browsers on any machine, after Context Information Security found problems in the rendering tool.

The flaws could hand hackers low level access to graphics cards, potentially providing a back door for cyber criminals looking to get their hands on user data.

If a user visited a site with malicious WebGL script, the WebGL component would then upload a specified 3D code to the end user's graphics card, Context said in a blog post.

The code could then exploit flaws in unpatched graphics drivers, meaning the GPU could be attacked causing a machine to completely shut down.

Context said one of the central issues was that WebGL provides access to the graphics hardware. In comparison, with 2D graphic acceleration, the actual functionality of the GPU is not directly exposed to a webpage.

Therefore WebGL could allow for the creation of shader programs designed to suck up the targeted computer's power, effectively carrying out a denial of service attack and preventing the user from accessing their machine, according to Context.

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," said Michael Jordon, research and development manager at Context.

"While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user's machine."

WebGL, which can be switched on in Apple's Safari browser as well, is becoming more widely used in modern smartphones, the security firm noted.

"We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure," Jordon added.

Context said the problems were "inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design."

The Khronos Group, which officially released WebGL 1.0 in March, defended the security credentials of the standard.

"The WebGL specification was developed with security concerns in mind from day one, and the WebGL working group has been working closely with the GPU vendors in the Khronos group on WebGL security," the Khronos Group said in a website posting.

"The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.