21 Sep

WebGL flaws puts Chrome and Firefox users at serious risk

first_imgBoth Mozilla and Google have sung the praises of WebGL and its ability to bring rich 3D experiences to users via the Web. According to security researcher James Forshaw, that extra dimension comes with a rather serious trade-off: your security.Over on the Context Information Security blog, Forshaw details several flaws in WebGL which could allow an attacker to infiltrate a user’s system and wreak havoc via the GPU and graphics drivers. These issues are particularly worrisome since WebGL is effectively granted access to kernel mode features “in what is supposed to be the most protected part of the computer.”AdChoices广告In addition to being able to render a system unusable (WebGL is already known to have been exploited in denial-of-service attacks), the vulnerabilities allow something which is potentially much more harmful. As illustrated by Context’s proof of concept, it’s possible to steal content which is being rendered on a user’s display. That means sensitive information you’re browsing – from bank account details to password reset questions and answers – could be exposed to malicious prying eyes.The proof-of-concept should work in any browser with WebGL support, including Firefox 4+ and Google Chrome 9+. Internet Explorer and Opera users are safe for now, though WebGL support is planned for the final release of Opera 11.50. Microsoft, however, has made it clear that it preferred to support technologies like 3D CSS and HTML5 layers — and it appears as though IE users can enjoy a little added peace of mind as a result of that decision.Forshaw recommends IT administrators (and users) disable WebGL until its security shortcomings have been addressed. That won’t be a simple task, he warns, and his closing words are actually quite ominous: “Perhaps the best approach would be to design a specification for 3D graphics from the ground up with these issues in mind.”via The Inquirer and Context ISlast_img read more