The US Computer Emergency Response Team (US-CERT) has issued a warning advising companies and users to disable WebGL in their browsers because of recently disclosed security issues.
An information security consultancy firm called Context has recently published a white paper
about the security risks of WebGL, a relatively new standard designed to allow websites to incorporate 3D graphics.
The technology is already enabled by default in the stable releases of Google Chrome and Mozilla Firefox, as well as in the development builds of Safari and Opera.
WebGL allows browsers to communicate directly with the graphics card drivers on the computer, which according to Context, have not been built with security in mind.
"Graphics drivers are generally not written with security as their main focus, performance is likely to be most critical
," the company's researchers note.
This exposes the graphics card to attacks from the Web, particularly to denial of service (DoS). Attackers could set up web pages that load specially crafted shader programs or 3D geometry in order to crash the cards.
According to Context, bypassing the same-origin policy is also possible through WebGL, which can result in the cross-domain theft of images. The researchers have even developed a proof-of-concept exploit to demonstrate this type of attack.
"Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their web browsers
," the security firm concludes in its paper.
This recommendation was echoed by US-CERT, however, the team states that "the impact of these issues includes arbitrary code execution," something which was not mentioned in the Context paper.
Arbitrary code execution on the system would indeed be a cause for serious concern, but US-CERT does not reveal how it reached this conclusion.
Meanwhile, the Khronos Group, an association of companies including Mozilla and Google which develop the WebGL standard, has downplayed the seriousness of the issues.
"WebGL is already influential in raising the awareness of GPU vendors to security issues and will play a significant role in helping GPUs become a first class computing platform alongside CPUs
," the organization said