Microsoft Labels WebGL A Fundamental, Unacceptable Security Risk

rated by 0 users
This post has 8 Replies | 0 Followers

Top 10 Contributor
Posts 25,826
Points 1,168,085
Joined: Sep 2007
News Posted: Sat, Jun 18 2011 4:22 PM
The past 18 months have seen a significant evolution in browser graphics. Chrome, Firefox, Safari, and Opera have all added support for such standards as OpenCL, HTML5, and Direct2D acceleration. (HTML5 isn't a graphics standard, strictly speaking, but it allows the browser to handle certain activities that once required Flash plugins). Support for WebGL, a browser-friendly derivative of OpenGL, has been added to Firefox and Safari (with Chrome and Opera versions under development). Microsoft, however, has announced it won't be including WebGL support, claiming that the standard is far too insecure to be safely deployed.

As it turns out, the software giant has good reason to be concerned. Ever since the introduction of Windows XP, Microsoft has progressively sandboxed video drivers and limited their ability to cause system crashes. Beginning with Windows Vista, video drivers were split into a kernel mode driver (very streamlined) and a user-space driver that handles virtually all of the heavy lifting.

WebGL doesn't communicate with a GPU through a browser API; it addresses the graphics hardware directly. This undoubtedly reduces lag and improves performance, but it also bypasses all of the security features and remote access limitations that have been baked into modern browsers. Attacks written to take advantage of this fact can therefore waltz right into a system. Since GPU drivers aren't written with security in mind (they've never needed to be), there's very little to prevent this from occurring.

In theory, Intel, AMD, and Nvidia could harden the video drivers for their respective products and bake in watchdogs to monitor WebGL execution in real-time. In practice, this is highly unlikely. It would take a significant amount of time to create this sort of system and the programs in question would need to be coupled to specific browser versions. Updating a browser without simultaneously updating a browser could create a crack in the security foundation.

In its blog post, Microsoft also notes: "Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process."

Although scarcely out of infancy, WebGL can handle some impressive rendering for a browser.

The company's final reason for avoiding WebGL for the foreseeable future lies is that the security measures currently baked into WebGL (and there are some) are untested. "Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure."

Microsoft has particularly good reasons to take the stance it does. From 1997-2004 the words "Microsoft" and "Laughable Security" were interchangeable. A sizeable number Industry veterans from the 1996-2001 timeframe still experience terrifying flashbacks if they hear the name "Outlook Express."

Beginning with Windows XP SP2, the company devoted enormous resources to hardening the OS, limiting available attack vectors, and warning users when their systems were vulnerable. Some of these efforts have been more effective than others, but Windows Firewall, Microsoft Security Essentials, XP2's Security Center, and changes to how Windows Updates were handled have all been aimed at increasing OS security. Having spent the last seven years repairing its reputation, the company is scarcely going to want to risk another issue.

The other reason is related to IE's market share. The median estimate for IE's penetration across all tracking firms is 43.5 percent. While it no longer commands an absolute majority of the market, IE's user base is still 1.5x larger than Firefox at 27.9 percent. That's going to make the company doubly wary of potential security flaws--an issue with IE affects a much larger number of people.
  • | Post Points: 125
Top 25 Contributor
Posts 3,772
Points 40,510
Joined: Jan 2010
Location: New York
Inspector replied on Sat, Jun 18 2011 11:37 PM

... should i be avoiding firefox till something gets solved? :D

I find that announcing these kind of things just spread the chance of it happening to even higher chance then if it was kept secret, less hackers may know of it. But then again letting everyone know you can warn them to not use it... o wells :D

  • | Post Points: 5
Top 500 Contributor
Posts 207
Points 1,515
Joined: Feb 2011
pwrntspd replied on Sun, Jun 19 2011 2:09 AM

Heh, good thing i have pretty much every major browser installed. My browsing experience "varies per use".

  • | Post Points: 5
Top 150 Contributor
Posts 653
Points 5,925
Joined: May 2008
Location: Stockholm
mhenriday replied on Sun, Jun 19 2011 5:21 AM

Well, that is, of course, one way (the Microsoft way ?) to deal with the fact that IE continues (for excellent reasons) to lose market share....


Top 50 Contributor
Posts 2,865
Points 29,645
Joined: Mar 2011
Location: United States, Connecticut

I am glad that Microsoft has security in mind and I agree with them that it is not likely that video card manufacturers would harden their drivers.

In a GPU manufactuers eyes all it would do is introduce inefficiencies into their driver packages. Interestingly enough they say users and do not typically stay up to date with drivers though so many of them are released through windows updates now I don't know if that is very true.

I would hope the web browsers that do have this technology supported would have some sort of warning when running the WebGL content if it is so insecure.

  • | Post Points: 5
Top 500 Contributor
Posts 88
Points 750
Joined: Apr 2011

Wow, that's some heavy stuff in this article. Seems like a wise move to exclude WebGL, but I just hope they can somehow make up for the speed difference?

Also, I wish they would improve IE. Every time I use it (which isn't often, mainly when a link in Windows help or something pops it up), when I close it, it tells me it crashed (perhaps it's an add-on?).

  • | Post Points: 5
Top 50 Contributor
Posts 3,236
Points 37,910
Joined: Mar 2010
AKwyn replied on Sun, Jun 19 2011 8:05 PM

Lamar Kropf:
Also, I wish they would improve IE. Every time I use it (which isn't often, mainly when a link in Windows help or something pops it up), when I close it, it tells me it crashed (perhaps it's an add-on?).

I'm guessing it's a plugin. IE during the times I've used it has worked reliably for me, barely crashing at all (the later versions especially, IE 7 and 6 just don't feel the same way.)

Anyway, I'm surprised there are flaws in WenGL relating to security but unless someone manages to introduce a virus infected WebGL page that I can stumble upon accidentally. I'll be fine. I have to give thanks for announcing this so the community can get to work patching the thing but I can't help but feel that Microsoft is going to use this to introduce their version of WebGL... DirectWeb! Proprietary and only with Internet Explorer 10.


"The future starts with you; now start posting more!"

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Jun 2011

This is a total scare tactic response from the makers of the dying IE to keep you locked into their platform. Who, the makers of ie support open standards? What are you kidding? Just like activex is a great awesomely secure technology right? Seriously, these scare articles are so unrealistically all-conclusive - as if to say "if you don't use windows and ie for the rest of your life, you're going to die!!"... LULZ What a bunch of baloney. Every computer system has vulnerabilities.. But the good, FOSS ones get updates that fix the problems, and quickly. Why do you think people are fleeing to the awesome/FOSS Mozilla Firefox?

The "engineers" of ie are in it for one thing - that is to keep up the windows monopoly.

Allz I can say is DIE MONOPOLY. Drop this monopoly like the **** that it is. Open Standards, Open/Cross-Platform-Technology rulez!

  • | Post Points: 5
Not Ranked
Posts 2
Points 25
Joined: Jun 2011

I wonder in how short time Microsoft will announce Direct3d support in Silverlight - looks like FUD before introducing their own 'secure' product.

  • | Post Points: 5
Page 1 of 1 (9 items) | RSS