Microsoft has revealed of its decision to not support WebGL in its current form due to serious security concerns – meaning “no WebGL support in upcoming versions of Internet Explorer”.
In a blog post, Microsoft identified three key issues that prevent products containing WebGL from passing Microsoft’s Security Development Lifecycle requirements. These concerns were similar to those raised last month by Context Information Security.
“We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective,” stated MSRC Engineering.
“WebGL, is an emerging graphics API from the Khronos Group, is supported and enabled in Firefox and Chrome, can be turned on in Safari, and available in an experimental build of Opera.”
- The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise.
- As WebGL vulnerabilities are uncovered, they’ll not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV’s. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities.
It’s our belief that as configurations are blocked, increasing levels of customer disruption may occur.
- Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. While traditionally client-side DoS isn’t a high severity threat, if this problem isn’t addressed holistically it’ll be possible for any web site to freeze or reboot systems at will. This’s an issue for some important usage scenarios such as in critical infrastructure.