AfterDawn: Tech news

Microsoft engineers reveal WebGL security woes

Written by James Delahunty @ 19 Jun 2011 11:37 User comments (4)

Microsoft engineers reveal WebGL security woes If you wondered why Microsoft's thrust to add more features and functionality to its Internet Explorer browser has excluded WebGL, here's an answer.
You could be forgiven to tempt an assumption that a Microsoft snub of WebGL is simply the Redmond-based giant's way of ignoring an open standard, in favor of its own proprietary Direct3D, but Microsoft engineers have put forth some real questions for the emerging standard to answer on security.

WebGL stands for Web-based Graphics Library. It provides an (OpenGL-based) API for 3D graphics within web browsers, filling part of an increasing demand for a much richer web experience for end users. Mozilla, Google and Apple have backed the technology with their browser packages, but Microsoft is not yet ready to endorse it.

Microsoft engineers analyzed WebGL and found that they cannot endorse the technology from a security perspective, finding that Microsoft products supporting WebGL would have a difficult time passing Microsoft's Security Development Lifecycle requirements.



The engineers split the problem into three main concerns with widespread use of WebGL.

  • #1 - Microsoft: "Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive"

    The engineers find that WebGL security heavily relies on low level components of the system, such as manufacturer drivers provided for video hardware. The problem is, when the drivers were written by manufacturers, they were written with the assumption that they would only be used by trusted/safe local code. That is, applications installed on a system by the user locally. As it is, developers that code for graphics hardware have to go to lengths just to ensure that their code won't cause any major problems. We have all, at least once, experienced a system that required a display driver update to solve a problem with a game or other software.

    The concern of the engineers is WebGL will expose video drivers to exploitation attempts on malicious websites in much the same way as browser vulnerabilities are targeted now. The display drivers and software distributed by manufacturers have never had to deal with this kind of threat before. The engineers do suggest that there might be ways to prevent against such attacks (like how a web browser is hardened by sandboxing and DEP systems), but still, "the large attack surface exposed by WebGL remains a concern."

  • #2 - Microsoft: "Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience"

    This point builds on the first point, highlighting that the on-going security of WebGL would depend on third-parties, as opposed to depending on updates to WebGL technology or updates from browser manufacturers. If a bug is found in Google Chrome, then Google will push out an updated build with the bug fixed and can close that attack target completely. However, in the case of an attack that targets a vulnerability with a certain display driver, this might not be possible for Google to prevent and the browser may still be used as delivery means.



    Some suggestions have included identifying and blacklisting certain drivers or hardware configurations, but this brings up questions of disruption of consumer experience. The Microsoft engineers point out that most PC users are not accustomed to updating their system drivers regularly, and even if they are, there are other factors to take into account such as whether a vendor is even providing updates for certain hardware anymore. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often also only update display drivers about once per year.

    The Microsoft engineers find that this inconsistency makes an efficient security servicing model (like Windows Update) targeting WebGL security impossible.

  • #3 - Microsoft: "Problematic system DoS scenarios"

    The engineering team concludes that modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Client-side DoS is not considered a high severity threat, but the engineering team says the problem needs to be addressed holistically to prevent possible scenarios such as malicious web sites freezing a system or causing it to crash and reboot.

Microsoft's engineers predicted that WebGL will turn out to be an on-going source of hard-to-fix vulnerabilities, and said it is not a technology that the company can endorse now from a security perspective.

"We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment."

Previous Next  

4 user comments

119.6.2011 16:36

God forbid somebody finds a security issue in IE...

219.6.2011 18:17
oappi
Inactive

@shortybob
Just what i thought after reading this. Also activex came to my. Someone from id even talked about activex having very bad security since you could even put code on your web page that would format drives of those who visit your site. After that disaster i wouldn't take any security advices from ms.

(btw shouldn't that be direct3d and not diect3d?)

319.6.2011 18:38

Originally posted by oappi:
@shortybob
Just what i thought after reading this. Also activex came to my. Someone from id even talked about activex having very bad security since you could even put code on your web page that would format drives of those who visit your site. After that disaster i wouldn't take any security advices from ms.

(btw shouldn't that be direct3d and not diect3d?)


Yep it should be, thanks.

420.6.2011 01:20

ActiveX is only still there for backwards compatibility; you have to manually enable it at each site you want to use it with. This is why it is so important not to widely adopt insecure protocols...because organizations like the FDA adopt a protocol and keep using it for the next 20 years regardless of the consequences.

Just wait until HTML5 has rolled out a little more...it will make ActiveX look safe.

Comments have been disabled for this article.

News archive