Related Stories

Top 5 Stories


WebGL opens browser to attacks that can disable computer

10 May 2011

A researcher at the Context Information Security consulting firm has identified a number of serious vulnerabilities in the new WebGL 3D graphics standard enabled by default in Firefox 4 and Google Chrome browsers, and as an option in the Apple Safari browser.

The vulnerability in the specification and implementation of WebGL allows an attacker to inject malicious code via the web browser, enabling attacks on the graphics processing unit (GPU) and graphics drivers. These attacks can render the entire machine unusable, according to Context researcher James Forshaw.

The researcher said there are other security issues that put users’ data and security at risk.

“These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode)”, he explained.

As a result, browsers that enable WebGL by default put their users at risk. Forshaw recommends disabling WebGL in the web browser.

“While there is certainly a demand for high-performance 3D content to be made available over the web, the way in which WebGL has been specified insufficiently takes into account the infrastructure required to support it securely. This is evident from the development of ways to mitigate the underlying security issues by introducing validation layers and driver black-lists; however, this still pushes much of the responsibility of securing WebGL on the hardware manufacturers. Perhaps the best approach would be to design a specification for 3D graphics from the ground up with these issues in mind”, Forshaw concluded.


This article is featured in:
Application Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×