Microsoft calls graphics technology in Chrome and Firefox "harmful"

Microsoft calls graphics technology in Chrome and Firefox "harmful"

Summary: In an unusually blunt statement, Microsoft has announced that it considers the WebGL graphics technology used in Google Chrome and Mozilla Firefox to be "harmful" and "not a technology Microsoft can endorse from a security perspective."

SHARE:
209

In an unusually blunt statement, Microsoft has announced that it considers the Khronos Group’s WebGL graphics technology too dangerous to support in Windows.

Currently, both Google Chrome and Mozilla Firefox are shipping with support for WebGL. Google calls it “the most powerful way to add 3D graphics to web pages” and encourages developers to “experiment with graphics programming.” Mozilla pitches WebGL as ideal for “interactive 3D games, vivid graphics and new visual experiences for the Web without the use of third-party plug-ins.”

Microsoft’s announcement, “WebGL Considered Harmful,” was published on the official blog of the Microsoft Security Response Center (MSRC) and signed by MSRC Engineering. It was posted by swiat, which is short for Secure Windows Initiative Attack Team, the group that is responsible for the security architecture of Windows and other Microsoft products.

The statement comes on the heels of a pair of reports from Context Information Security that described “serious design flaws” and "security issues" in WebGL. The most recent post included a demonstration of how to steal user data through a web browser.

Microsoft threw all its security muscle behind some very strongly stated conclusions:

One of the functions of MSRC Engineering is to analyze various technologies in order to understand how they can potentially affect Microsoft products and customers. As part of this charter, we recently took a look at WebGL. Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements.

[…]

We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.

The report argues that browser support for WebGL “directly exposes hardware functionality to the web in a way that we consider to be overly permissive.” Graphics drivers can’t be depended on to uphold security guarantees, and there’s no workable security servicing model for video card drivers. Given the prevalence of attacks using third-party vulnerabilities (Adobe Flash files and Java apps, for example), that seems like a legitimate concern.

Microsoft also contends that the use of WebGL enables denial-of-service scenarios that would make it “possible for any web site to freeze or reboot systems at will.”

In an e-mailed statement, Ari Bixhorn of Microsoft’s Internet Explorer team took a direct swipe at its competition:

Customers need to understand that the security of their computers is at risk when they browse the web using Google Chrome and Firefox. Because these browsers support WebGL, they open a door for malicious websites to access one of the most secure parts of a person's computer. With security holes like this, it's clear that WebGL isn't ready for primetime, and that people shouldn't be using a browser that supports it. This is why the Microsoft Security Response Center recently recommended against the use of WebGL in Microsoft products like Internet Explorer.

In a response to other media outlets, Khronos Group downplays security concerns, suggesting that browser vendors are still working toward passing a WebGL conformance suite and that the demonstrated security issue is “due to a bug in Firefox’s WebGL implementation.” That bug is reportedly resolved in Firefox 5, which is due for release before the end of the month.

A Khronos Group spokesperson declined to respond directly to Microsoft's report but noted that Mozilla, Firefox, and Opera all strongly support WebGL, and Apple has announced limited support for WebGL in iOS 5.

A Google spokesperson said the company doesn't see WebGL as a significatn threat to its users. Many parts of the WebGL stack, including the GPU process, "run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks," the spokesperson added. Google says it can ward off lower level attacks by working with hardware, OS, and driver vendors to disable WebGL on system configurations that are found to be unsafe.

Topics: Microsoft, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

209 comments
Log in or register to join the discussion
  • Too dumb to support as well

    This idea of computation-intensive tasks being done in a browser just doesn't pass the smoke test. If you need raw graphic power you should talk to the OS directly. Who needs a browser as the middle-man between your APPs and the OS?
    LBiege
    • RE: Microsoft calls graphics technology in Chrome and Firefox

      @LBiege
      I guess you're a proponent of a one OS world.
      wendellgee2
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @wendellgee@... Or one standardized API? That's the point of OpenGL. It works on any OS, same API.
        snoop0x7b
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @wendellgee@... this has nothing to do with OS, Microsoft is talk about old video card drivers that will never receive a stability update, let along a security update, but still running at the kernel level. Take a look at FireFox's discussion on the decision of maintaining a video card driver white list and tell me you trust the authors of video card drivers handling your computer's kernel security. If a driver bug crashes the browser, the browser gets the blame. FireFox programmers learned the hard way.
        jiangsheng
      • Its a direct threat to 3D solutions proposed by MS

        Hence its a threat to you.... yeah right.

        Google guarantees it is sandboxed...

        If Google doesn't live up to this.. then they'll pay for it. If they do...MS is going to look silly... specially when you consider that MS Internet Explorer keeps on losing ground to Chrome.

        If you look at w3schools.. browser stats.. you will see what the leading curve looks like. Internet Explorer is used by less than 26% of developers... that in itself sais a lot.

        But you want to be six months to a year behind.. look at Wikipedia stats. MS averages 43% of the marketshare and loosing ground.
        Uralbas
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        <strong>@Uralbas@... </strong>

        <em>"Google guarantees it is sandboxed..."</em>

        If the code is accessing hardware directly, if it is in fact able to directly access the kernel, how is that sandboxed?

        Google can promise anything and everything.

        However, when the technology it incorporates circumvents the possibility of being sandboxed by directly accessing hardware at the kernel level then regardless of where the rest of it's platform is residing there is no sandbox, it has been eliminated.
        Raid6
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @wendellgee@... Incredibly pleasant as well as valuable topic to read for every person. I furthermore propose you that http://nzedpills.com
        Eustache
        drumandyou
    • The browser is the OS

      Well that's the plan, standardize the API. This is what MS feared back with Netscape.

      Surprising MS would be so hard on this technology yet continue to support ActiveX.
      Richard Flude
      • Not surprising as WebGL is not as secure

        @Richard Flude
        Nor has Microsoft feared standardizing the API back with Netscape.
        Though I am pondering what it is about Microsoft that scares you to post such obvious nonsense.
        :|
        Tim Cook
      • Spock

        The DoJ fought a court case over the comment, resulting in billion paid by MS and a decade of antitrust oversight.

        Yet in Spocks world it never happened.
        Richard Flude
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @Richard Flude ... Psst, 2002 called and it wants its ActiveX-hate speech back. ActiveX hasn't been a significant threat since the pre-IE7 days, as the entire technology has gone through a significant revamp.

        I'm not calling that tech or ANY tech perfect, just pointing out that it's not nearly as problematic as other technologies.
        GoodThings2Life
      • @GoodThings2Life .. who the h*ck ..

        ... do you think your kidding? The old empty, baseless-defense, throw-away-line, trick:

        [i]"...I'm not calling that tech or ANY tech perfect, just pointing out that it's not nearly as problematic as other technologies."[/i]

        Where is your research to back up your phoney claims that ActiveX is "not nearly as problematic as other technologies." Like Spock and other brown n0$ers like yourself, you seem to be awful quick to jump to the defense of MS - even in cases that are glaringly indefensible - and without a leg to stand on.

        Like your fellow employee Ed Bott .. try to get a little perspective. This story is, at best, a pathetic case of 'the pot calling kettle black'.

        You guys either deflect attention away from obvious negative findings about MS and make it sound like IE is now *somehow* 'the new paragon of browser security' - which it never has been nor is ever likely to be.

        At any rate, does Redmond allow staffers like you to blog during work hours? .. Get back to work!
        thx-1138_
      • Forget 2002, jump to 2011

        http://www.microsoft.com/technet/security/Bulletin/MS11-027.mspx
        Richard Flude
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @Richard Flude Any monopoly (dominant market player) is going to try and protect that position. Given the massive slide in IE use despite it coming pre-installed with Windows, any further weakening is a real threat. Android, Chrome OS and Google's payment to Firefox for enabling it as default search engine must be terrifying MS. Firefox/Chrome as dominant browsers means the deal with Google on search could be an anti-trust issue.

        A *lot* of people are still on IE6. Look at the mad scramble to improve IE with 7 and 8 after massive complacency and appreciate why competition is important. Any end user that thinks pressure on MS is not a good thing is a turkey voting for Christmas. Google is a lot more friendly to end-users because its business model is largely business to business advertising. Firefox is a community project. But there are still potential anti-trust issues there too.
        INGOTIAN
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @Richard Flude

        Oh yeah, Netscape, I almost forgot about the most loathed browser every created!

        They certainly did want standards, only their standards, their way, under their terms, only as they desired, ... you get the picture.

        Netscape was no more about standards than MS is or was.

        In fact, MS is more about standards as they have been using the same LDAP adaptation for years, the same Exchange API for years, the same evolving .NET for years, and the same evolving DirectX for years.

        MS doesn't change these API's (errr standards), other than to update them.

        My favorite browser, Netscape 4.7, what a beast.
        Raid6
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        From the time Microsoft released IE4 in 1997, ActiveX has been well documented as creating some horrible vulnerabilities, and Microsoft's solution - get injunctions against publishing this information.

        Mozilla publishes their source code, encourages peer review, and encourages people to report and publish concerns about vulnerabilities, even if they are merely theoretical - and fixes them even if they can never be exploited.

        Microsoft considers publication of security vulnerability information, and root cause analysis, especially to security agencies like CERN to be a violation of the "Reverse Engineering" clause of their End User License Agreements, and has been known to sick the legal department on anyone who dares to attempt to publish such information.

        Internationally, some countries, such as Germany, permit publication of such information, but that protection only extends to content published in German.

        No accident that Microsoft has spend nearly 20 years trying to fix known security holes - such as the FAT file system file sharing and Active X controls - while promoting them as strategic features - by not fixing them, and just putting band-aids around them.

        Microsoft wants the ability to see any file on your computer, at any time, whether you want them to or not, and tools like ActiveX and DirectX give them this access.
        Rex1Ballard
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        <strong>@Rex1Ballard</strong>

        MS has not spent 20 years trying to undo vulnerabilities in products. IE4 is as closely related to IE7,8, and 9 as a sea monkey is to a dolphin.

        MS not wanting to syndicate technical information that [b]could absolutely[/b] be used to reverse engineer the inner operations of the OS that the company has invested billions into (billions of dollars from a huge array of global investors), why would they want to afford anyone the ability to see the inside of their intellectual property.

        And how is that any different in terms of strategy and protectionism of their IP then Apple shutting down competitors that builder lower cost hardware to run the mighty Apple OS?

        Hmmmmmmmmmmm?

        A EULA is a EULA is a EULA.

        Apple does not expose it's OS. HP does not expose it's Unix. Sony doesn't expose it's PS OS. Why should MS do that?

        Hmmmmmmmmmmm?

        Stop being a dork.
        Raid6
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @Richard Flude ActiveX is not relevant. First, it's disabled by default, now it works just the same as any plug-in API for Firefox or other browser. Every browser can run native code when you install a browser plug-in.

        Secondly, this is about PREVENTING another API that's going to require constant patching and update. Allowing javascript to upload code to the graphic card, by-passing the OS, is not something to take lightly. The security concerns have been documented by a third party http://www.contextis.com/resources/blog/webgl2/
        fredericr
      • RE: Microsoft calls graphics technology in Chrome and Firefox

        @Richard Flude

        I have to support Richard on this thread. @Spock, he is not talking nonsense. Microsoft started the browser incompatibility wars and probably would not have ended if the DoJ and others had not stepped in. There can be no question that Microsoft made deliberate attempts to undermine Java, JavaScript and other web technologies to undermine the technology of their competition at the expense of consumers - otherwise they would not have lost in litigation.

        Today IE 9 is amazingly compliant with W3 standards because Microsoft lost the war as a consequence of successful litigation and declining market share. Now the consumer is the winner.
        kolotyluk
    • RE: Microsoft calls graphics technology in Chrome and Firefox

      @LBiege I'm inclined to agree with you.
      snoop0x7b