Microsoft Labels WebGL A Fundamental, Unacceptable Security Risk

The past 18 months have seen a significant evolution in browser graphics. Chrome, Firefox, Safari, and Opera have all added support for such standards as OpenCL, HTML5, and Direct2D acceleration. (HTML5 isn't a graphics standard, strictly speaking, but it allows the browser to handle certain activities that once required Flash plugins). Support for WebGL, a browser-friendly derivative of OpenGL, has been added to Firefox and Safari (with Chrome and Opera versions under development). Microsoft, however, has announced it won't be including WebGL support, claiming that the standard is far too insecure to be safely deployed.

As it turns out, the software giant has good reason to be concerned. Ever since the introduction of Windows XP, Microsoft has progressively sandboxed video drivers and limited their ability to cause system crashes. Beginning with Windows Vista, video drivers were split into a kernel mode driver (very streamlined) and a user-space driver that handles virtually all of the heavy lifting.

WebGL doesn't communicate with a GPU through a browser API; it addresses the graphics hardware directly. This undoubtedly reduces lag and improves performance, but it also bypasses all of the security features and remote access limitations that have been baked into modern browsers. Attacks written to take advantage of this fact can therefore waltz right into a system. Since GPU drivers aren't written with security in mind (they've never needed to be), there's very little to prevent this from occurring.

In theory, Intel, AMD, and Nvidia could harden the video drivers for their respective products and bake in watchdogs to monitor WebGL execution in real-time. In practice, this is highly unlikely. It would take a significant amount of time to create this sort of system and the programs in question would need to be coupled to specific browser versions. Updating a browser without simultaneously updating a browser could create a crack in the security foundation.

In its blog post, Microsoft also notes: "Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process."

Although scarcely out of infancy, WebGL can handle some impressive rendering for a browser.

The company's final reason for avoiding WebGL for the foreseeable future lies is that the security measures currently baked into WebGL (and there are some) are untested. "Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure."

Microsoft has particularly good reasons to take the stance it does. From 1997-2004 the words "Microsoft" and "Laughable Security" were interchangeable. A sizeable number Industry veterans from the 1996-2001 timeframe still experience terrifying flashbacks if they hear the name "Outlook Express."

Beginning with Windows XP SP2, the company devoted enormous resources to hardening the OS, limiting available attack vectors, and warning users when their systems were vulnerable. Some of these efforts have been more effective than others, but Windows Firewall, Microsoft Security Essentials, XP2's Security Center, and changes to how Windows Updates were handled have all been aimed at increasing OS security. Having spent the last seven years repairing its reputation, the company is scarcely going to want to risk another issue.

The other reason is related to IE's market share. The median estimate for IE's penetration across all tracking firms is 43.5 percent. While it no longer commands an absolute majority of the market, IE's user base is still 1.5x larger than Firefox at 27.9 percent. That's going to make the company doubly wary of potential security flaws--an issue with IE affects a much larger number of people.