14 DAY TRIAL // Microsoft engineers cosider the new WebGL technology harmful to security because it exposes low-level resources to the Internet in a way that might lead to critical vulnerabilities in the future.
Microsoft takes issue with the fact that the security of the entire WebGL specification, which is designed to give web applications access to 3D graphic processing power, is dependent on the quality of OEM drivers.
The company's security engineers do not believe that GPU vendors like Nvidia, ATI, Intel and others, who are developing WebGL as part of the Khronos Group, can guarantee a secure development for their drivers, especially since they haven't had to deal with such issues until now.
"Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern," the Microsoft experts say.
The software giant considers that WebGL might prove to be a future source of vulnerabilities that are hard to fix. This is because that even if the holes are patched, people are not in the habit of upgrading their drivers.
In addition to remote code execution, there are also concerns related to denial of service scenarios that WebGL might facilitate. "Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry," Microsoft warns.
Since hardware manufacturers cannot be relied upon to deliver quick fixes to security issues or to convince users to deploy patches, the burden of mitigating attacks falls upon the WebGL implementations themselves. So far, this theory hasn't stood up in the face of vulnerabilities discovered recently.
"In its current form, WebGL is not a technology Microsoft can endorse from a security perspective. We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment," the software giant concluded.