WebGL flaws hit Firefox and Chrome

Firefox and Chrome users are told to turn off WebGL after a security firm warns of "inherent" issues with the rendering tool.

Hacker

Web users have been told to turn off the WebGL 3D rendering engine in Firefox 4 and Google Chrome due to security issues.

The US Computer Emergency Readiness Team (US-CERT) recommended users turn off WebGL, designed to display 3D graphics in browsers on any machine, after Context Information Security found problems in the rendering tool.

The flaws could hand hackers low level access to graphics cards, potentially providing a back door for cyber criminals looking to get their hands on user data.

If a user visited a site with malicious WebGL script, the WebGL component would then upload a specified 3D code to the end user's graphics card, Context said in a blog post.

The code could then exploit flaws in unpatched graphics drivers, meaning the GPU could be attacked causing a machine to completely shut down.

Context said one of the central issues was that WebGL provides access to the graphics hardware. In comparison, with 2D graphic acceleration, the actual functionality of the GPU is not directly exposed to a webpage.

Therefore WebGL could allow for the creation of shader programs designed to suck up the targeted computer's power, effectively carrying out a denial of service attack and preventing the user from accessing their machine, according to Context.

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," said Michael Jordon, research and development manager at Context.

"While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user's machine."

WebGL, which can be switched on in Apple's Safari browser as well, is becoming more widely used in modern smartphones, the security firm noted.

"We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure," Jordon added.

Context said the problems were "inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design."

The Khronos Group, which officially released WebGL 1.0 in March, defended the security credentials of the standard.

"The WebGL specification was developed with security concerns in mind from day one, and the WebGL working group has been working closely with the GPU vendors in the Khronos group on WebGL security," the Khronos Group said in a website posting.

"The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Google reveals five high-risk flaws in Chrome browser
vulnerability

Google reveals five high-risk flaws in Chrome browser

3 Sep 2021
Challenging the rules of security
Whitepaper

Challenging the rules of security

23 Aug 2021
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021
Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw
zero-day exploit

Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

9 Jun 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021