14 DAY TRIAL // WebGL, a new web standard for browsers focused on enabling 3D graphics without requiring a plug-in contains a number of security issues, according to independent information security consultancy firm Context. The security outfit cites security problems within the specification and implementations of the web standard, and notes that browsers supporting WebGL put customers at risk.
Context published the “WebGL - A New Dimension for Browser Exploitation” report, authored by James Forshaw which flags dangers for users’ data, privacy and security.
On May 10th, 2011, the United States Computer Emergency Readiness Team (US-CERT) also raised a flag over WebGL security risks pointing to the Context report and advising IT administrators to disable WebGL altogether in order to mitigate potential attacks.
“US-CERT is aware of reports indicating that WebGL contains multiple significant security issues. The impact of these issues includes arbitrary code execution, denial of service, and cross-domain attacks. WebGL is a new web standard that is enabled by default in Firefox 4 and Google Chrome and is included in Safari,” the organization notes.
The latest versions of Apple Safari, Google Chrome and by extension Chrome OS, Mozilla Firefox, and Opera all support WebGL, with Internet Explorer 9 being the exception.
In this context, customers currently leveraging IE9 are inherently safe from any WebGL woes, since the browser does not play nice with this particular web standard.
IE9 instead relies on Windows’ DirectX API in order to power the hardware acceleration feature which enables it to make use of the computer’s GPU to provide enhanced experiences to customers.
Despite the fact that US-CERT refers to arbitrary code execution as one result of WebGL’s security issues, no such mention is found in the Context report, which only details denial of service and cross-domain attacks.
However, it might be that the US-CERT’s advice to turn off WebGL altogether is based on additional information than just the Context report.
Whichever the case, IE9 users will be able to run their browser with hardware acceleration turned on and not worry about any WebGL issues, security related or otherwise.
Internet Explorer 10 (IE10) Platform Preview 1 (PP1) is available for download here.
Windows Internet Explorer 9 RTW for Windows 7 and Windows 7 SP1 is available for download here.