“Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements”, the Microsoft Security Research and Defense (MSRC) Engineering team wrote in a June 16 blog.
Last month, Context researcher James Forshaw warned that the WebGL 3D graphics standards, enabled by default in Firefox 4 and Google Chrome browsers, creates a browser vulnerability that allows an attacker to inject malicious code via the web browser, enabling attacks on the graphics processing unit (GPU) and graphics drivers.
In its blog, Microsoft said it found a number of security concerns with the WebGL graphics standards. First, browser support for WebGL exposes hardware to the web “in a way that we consider to be overly permissive.” This creates a vulnerability at the lower levels of the system, including OEM drivers. “Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise”, it said.
Second, support for WebGL security servicing responsibility relies too heavily on third parties. “As WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by [independent hardware vendors]. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities”, the MSRC team wrote.
Third, the WebGL flaw opens up browsers to denial of service (DoS) risks. “While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically, it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure”, the team added.
“We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective”, the MSRC team concluded.