Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security

May 11th, 2011, 17:23 GMT · By

US-CERT Recommends Disabling WebGL over Security Concerns

SHARE:

Adjust text size:

WebGL security issues prompt US-CERT alert
Enlarge picture
The US Computer Emergency Response Team (US-CERT) has issued a warning advising companies and users to disable WebGL in their browsers because of recently disclosed security issues.

An information security consultancy firm called Context has recently published a white paper about the security risks of WebGL, a relatively new standard designed to allow websites to incorporate 3D graphics.

The technology is already enabled by default in the stable releases of Google Chrome and Mozilla Firefox, as well as in the development builds of Safari and Opera.

WebGL allows browsers to communicate directly with the graphics card drivers on the computer, which according to Context, have not been built with security in mind.

"Graphics drivers are generally not written with security as their main focus, performance is likely to be most critical," the company's researchers note.

This exposes the graphics card to attacks from the Web, particularly to denial of service (DoS). Attackers could set up web pages that load specially crafted shader programs or 3D geometry in order to crash the cards.

According to Context, bypassing the same-origin policy is also possible through WebGL, which can result in the cross-domain theft of images. The researchers have even developed a proof-of-concept exploit to demonstrate this type of attack.

"Based on this limited research Context does not believe WebGL is really ready for mass usage, therefore Context recommends that users and corporate IT managers consider disabling WebGL in their web browsers," the security firm concludes in its paper.

This recommendation was echoed by US-CERT, however, the team states that "the impact of these issues includes arbitrary code execution," something which was not mentioned in the Context paper.

Arbitrary code execution on the system would indeed be a cause for serious concern, but US-CERT does not reveal how it reached this conclusion.

Meanwhile, the Khronos Group, an association of companies including Mozilla and Google which develop the WebGL standard, has downplayed the seriousness of the issues.

"WebGL is already influential in raising the awareness of GPU vendors to security issues and will play a significant role in helping GPUs become a first class computing platform alongside CPUs," the organization said.


1,371 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


HTML5 Remote Code Execution Flaw and Others Patched in Opera 10.61
HTML5 Can Make Older Code Insecure
CSP-Enabled Firefox Builds Available

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use