Security researchers are warning users that there are a number of vulnerabilities and potential problems with WebGL, and emerging standard for 3D rendering on the Web, that could cause serious problems for users.
The weaknesses in WebGL range from denial-of-service problems to cross-domain file theft to complete crashes of the machine running a vulnerable browser. Research done by Context, a British security consultancy, shows that the WebGL problems–some of which have been known for some time–are inherent in the standard’s design and require some major changes in the standard itself.
“These issues are inherent to the WebGL specification and would require
significant architectural changes in order to remediate in the platform
design. Fundamentally, WebGL now allows full (Turing Complete) programs
from the Internet to reach the graphics driver and graphics hardware
which operate in what is supposed to be the most protected part of the
computer (Kernel Mode),” Context researcher James Forshaw wrote in a blog post.
WebGL is an open standard that’s designed to render full 3D graphics through HTML5. The standard is implemented by default in Firefox 4, the latest version of Mozilla’s browser, and also is turned on by default in Google Chrome. WebGL can be enabled optionally in Apple Safari.
Forshaw said that the most immediate and well-known issue with WebGL is the ability for an attacker to cause a denial-of-service condition on a machine. The issue is raised in the WebGL documentation, in fact.
“Basically because of the almost direct access the WebGL API has to
the graphics hardware it is possible to create shader programs or a set
of complex 3D geometry which can cause the hardware to spend a
significant proportion of its time rendering. It is easy to trivialise
client denial of service attacks when the only affected component is the
browser process (there are numerous ways of doing this already),
however in this case the attack can completely prevent a user being able
to access their computer, making it considerably more serious,” Forshaw wrote.
“In certain circumstances Context has observed the operating
system crashing (i.e. Blue Screen of Death). These crashes can be benign
(from an exploitability sense) to ones where the driver code has
faulted causing potentially exploitable conditions.”
The seriousness of the problems with WebGL are somewhat magnified by the fact that the standard is enabled by default in Firefox 4 and Google Chrome, two of the more popular browsers on the Web. Fixing the problems will not be a simple matter.
“During the development of WebGL it seems that all the browser vendors
supporting it have encountered issues with certain drivers being
unstable or crashing completely. The current work around for this seems
to be a driver black list (or in Chrome’s case not running WebGL on
Windows XP at all). This does not seem to be a very tenable approach long term,” Forshaw wrote.
US-CERT is encouraging users to disable WebGL for the time being. Users of Firefox 4 can do this by taking the following steps:
- Go to the address bar and type: about:config
- Change the variable “webgl.disabled” to true
In Google Chrome, users need to go to the command line in Windows and enter the following command, according to the SANS Internet Storm Center: –disable-webgl.