In an unusually blunt statement, Microsoft has announced that it considers the Khronos Group’s WebGL graphics technology too dangerous to support in Windows.
Currently, both Google Chrome and Mozilla Firefox are shipping with support for WebGL. Google calls it “the most powerful way to add 3D graphics to web pages” and encourages developers to “experiment with graphics programming.” Mozilla pitches WebGL as ideal for “interactive 3D games, vivid graphics and new visual experiences for the Web without the use of third-party plug-ins.”
Microsoft’s announcement, “WebGL Considered Harmful,” was published on the official blog of the Microsoft Security Response Center (MSRC) and signed by MSRC Engineering. It was posted by swiat, which is short for Secure Windows Initiative Attack Team, the group that is responsible for the security architecture of Windows and other Microsoft products.
The statement comes on the heels of a pair of reports from Context Information Security that described “serious design flaws” and “security issues” in WebGL. The most recent post included a demonstration of how to steal user data through a web browser.
Microsoft threw all its security muscle behind some very strongly stated conclusions:
One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at WebGL. Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements.
[…]
We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.
The report argues that browser support for WebGL “directly exposes hardware functionality to the web in a way that we consider to be overly permissive.” Graphics drivers can’t be depended on to uphold security guarantees, and there’s no workable security servicing model for video card drivers. Given the prevalence of attacks using third-party vulnerabilities (Adobe Flash files and Java apps, for example), that seems like a legitimate concern.
Microsoft also contends that the use of WebGL enables denial-of-service scenarios that would make it “possible for any web site to freeze or reboot systems at will.”
In an e-mailed statement, Ari Bixhorn of Microsoft’s Internet Explorer team took a direct swipe at its competition:
Customers need to understand that the security of their computers is at risk when they browse the web using Google Chrome and Firefox. Because these browsers support WebGL, they open a door for malicious websites to access one of the most secure parts of a person’s computer. With security holes like this, it’s clear that WebGL isn’t ready for primetime, and that people shouldn’t be using a browser that supports it. This is why the Microsoft Security Response Center recently recommended against the use of WebGL in Microsoft products like Internet Explorer.
In a response to other media outlets, Khronos Group downplays security concerns, suggesting that browser vendors are still working toward passing a WebGL conformance suite and that the demonstrated security issue is “due to a bug in Firefox’s WebGL implementation.” That bug is reportedly resolved in Firefox 5, which is due for release before the end of the month.
A Khronos Group spokesperson declined to respond directly to Microsoft’s report but noted that Mozilla, Firefox, and Opera all strongly support WebGL, and Apple has announced limited support for WebGL in iOS 5.
A Google spokesperson said the company doesn’t see WebGL as a significatn threat to its users. Many parts of the WebGL stack, including the GPU process, “run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks,” the spokesperson added. Google says it can ward off lower level attacks by working with hardware, OS, and driver vendors to disable WebGL on system configurations that are found to be unsafe.
