US-CERT and Context Raise a Flag Over WebGL Security Risks, IE Safe from WebGL Woes

WebGL, a new web standard for browsers focused on enabling 3D graphics without requiring a plug-in contains a number of security issues, according to independent information security consultancy firm Context.At the same time, the United States Computer Emergency Readiness Team also raised a flag over WebGL security risks pointing to the Context report and advising […]

WebGL, a new web standard for browsers focused on enabling 3D graphics without requiring a plug-in contains a number of security issues, according to independent information security consultancy firm Context.

At the same time, the United States Computer Emergency Readiness Team also raised a flag over WebGL security risks pointing to the Context report and advising IT administrators to disable WebGL altogether in order to mitigate potential attacks on May 10th.

"US-CERT is aware of reports indicating that WebGL contains multiple significant security issues. The impact of these issues includes arbitrary code execution, denial of service, and cross-domain attacks. WebGL is a new web standard that is enabled by default in Firefox 4 and Google Chrome and is included in Safari," the organization notes.

The latest versions of Safari, Chrome and by extension Chrome OS, Firefox, and Opera all support WebGL, with Internet Explorer 9 being the exception.

In this context, customers currently leveraging IE9 are inherently safe from any WebGL woes, because IE9 relies on Windows' DirectX API in order to power the hardware acceleration feature which enables it to make use of the computer's GPU to provide enhanced experiences to customers.

Despite the fact that US-CERT refers to arbitrary code execution as one result of WebGL's security issues, no such mention is found in the Context report, which only details denial of service and cross-domain attacks.

However, it might be that the US-CERT's advice to turn off WebGL altogether is based on additional information than just the Context report.