The vulnerability in the specification and implementation of WebGL allows an attacker to inject malicious code via the web browser, enabling attacks on the graphics processing unit (GPU) and graphics drivers. These attacks can render the entire machine unusable, according to Context researcher James Forshaw.
The researcher said there are other security issues that put users’ data and security at risk.
“These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode)”, he explained.
As a result, browsers that enable WebGL by default put their users at risk. Forshaw recommends disabling WebGL in the web browser.
“While there is certainly a demand for high-performance 3D content to be made available over the web, the way in which WebGL has been specified insufficiently takes into account the infrastructure required to support it securely. This is evident from the development of ways to mitigate the underlying security issues by introducing validation layers and driver black-lists; however, this still pushes much of the responsibility of securing WebGL on the hardware manufacturers. Perhaps the best approach would be to design a specification for 3D graphics from the ground up with these issues in mind”, Forshaw concluded.