Microsoft is right to label WebGL 'harmful'

Microsoft is right to label WebGL 'harmful'

Summary: While Firefox and Chrome browsers already support WebGL, along with development versions of Opera and Safari, Microsoft has said that it has no plans to make Internet Explorer support the 3D graphics software library, and branded it a 'harmful' technology.Microsoft's right.

SHARE:
49

While Firefox and Chrome browsers already support WebGL, along with development versions of Opera and Safari, Microsoft has said that it has no plans to make Internet Explorer support the 3D graphics software library, and branded it a 'harmful' technology.

Microsoft's right.

Note: Mozilla were the original authors of WebGL but the project is now handled by the not-for-profit consortium The Khronos Group.

Now don't get me wrong, you can do cool stuff with WebGL. Really cool, impressive stuff that allows web browsers to deliver 3D graphics along the lines of a computer game. But the problem is that while you can do some really cool stuff with WebGL, because the technology gives web sites direct access the to low-level hardware functions, bad things can be done with it too.

Microsoft has outlined its concerns over WebGL pretty clearly:

"The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before," Microsoft's engineer claims. "Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern.

These are all valid points. Driver security would be a major issue, and it's something that people haven't needed to worry about that much up until now. OEMs would need to significantly harden their drivers, while system using old, insecure drivers would need to be blocked from being able to make use of WebGL altogether until the drivers could be updated, or permanently if the hardware is end-of-life. Given the huge market share that Internet Explorer commands, and the wide array of platforms that the browser runs on, Microsoft is, I think, doing the right thing in playing it safe.

[poll id="641"]

But wasn't Microsoft the company that unleashed ActiveX onto unsuspecting Web users? Sure it was. Web-based ActiveX controls were a really bad idea, but I'd like to think that the company has learned from previous mistakes. There's no way that Microsoft would bake a technology like ActiveX into the browser given the current security pressures on the browser.

But how bad is WebGL? Security firm Context has found a number of issues with WebGL, two of which stand out:

  • Document leakage via memory theft
  • Denial of Service (DoS)

Pretty serious stuff. Overall, Context is pretty damning of WebGL, even critical of the mechanism designed to protect users from DoS attacks:

Furthermore, Context's research found that Khronos' recommended defence against the DoS issue (WebGL_ARB_robustness) is not fit for purpose. First, only certain chipsets and operating systems (NVidia on Windows and Linux) support this feature. Moreover, this extension only offers mitigation, not a comprehensive solution to WebGL DoS issues.

While there are undoubtedly upsides to WebGL, the downsides are a major worry. WebGL security will undoubtedly improve as time goes on, bit for now Microsoft made the right choice to give it a wide berth.

Topics: Browser, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • RE: Microsoft is right to label WebGL 'harmful'

    <I>"Microsofts right."</I><br><br>Prepare for the onslaught of ABMers in 3, 2, 1...
    Truth is, if this proposes a security concern, no one should be using it. Get it out of Firefox and get it out of Chrome. Last thing users need is another "Flash" on their systems.<br><br><br>$10 says Google pushes this technology to Windows users in an attempt to convert them over to ChromeOS. "Want the security? Use ChromeOS. We're not giving a damn about fixing this for Windows users... You use Windows, too bad so sad."
    The one and only, Cylon Centurion
    • All I have to say is....

      @Cylon Centurion

      been in this country long? Google has been sabotaging Windows for ages now. Google Toolbar and Chrome installs behind the scenes, f*#&ing up IE completely, and installing in user spaces where admins can't even find it, without needing admin rights.

      I really hope Windows 9 has something that prevents any software from installing in the user space with limited rights. Software should NEVER be allowed to be installed without admin rights, regardless of where it's installed. A users' space should only contain data and settings. Executable code should not exist in the user space.
      Joe_Raby
      • RE: Microsoft is right to label WebGL 'harmful'

        @Joe_Raby Then I will just switch to Linux and launch an installer that installs to /home/%username%/bin. Are you serious?
        Grayson Peddie
      • RE: Microsoft is right to label WebGL 'harmful'

        @Joe_Raby

        Amen.
        PMC-CON
      • RE: Microsoft is right to label WebGL 'harmful'

        @Joe_Raby

        You gotta be kidding me. Who would even use your computer? Unless they're using something like Chrome, where everything is running from the browser, nobody would use your proposed Microsoft brick. Meanwhile, guess how many times the Google Toolbar has been installed on any of my PCs, it's a number between -1 and 1 and the first two guesses don't count.
        tkejlboom
      • RE: Microsoft is right to label WebGL 'harmful'

        @Joe_Raby

        Amen as well!
        The one and only, Cylon Centurion
      • RE: Microsoft is right to label WebGL 'harmful'

        @Joe_Raby . . . sounds like you're wishing for Mac OS X, which won't install anything without admin-permission! Still Apple is far less vulnerable than MS, they have to fool the user, not the OS.
        Namorado_TX
      • Not true

        @ Namorado_TX

        As the 'Mac Guard' malware demonstrated, it's trivial to bypass the admin requirement in OS X. More generally, there's no need to 'install' software at all if users are allowed to execute arbitrary code. To get round that you've got to do something like restrict execution permission to a set of white-listed applications/publishers or directories (e.g. with AppLocker policies on Windows).

        If you think OS X is more secure than Windows should read what Charlie Miller has had to say on the matter. OS X has reasonably good security, but it's lagged behind Windows in important ways since at least Vista (and in some respects since XP SP2). Lion may bring OS X closer to Windows, with things like DEP for 32- and 64-bit processes and full ASLR. The OS X sandboxing mechanism may even have advantages over Windows sandboxes based on integrity levels (I haven't looked at the details yet).

        All in all, there aren't that many differences in security between OS X and Windows -- and OS X may still be safer because it's more obscure -- but where there are differences, Windows tends to have the edge, and this has been the case for years.
        WilErz
      • It depends on the environment

        @ Grayson Peddie

        In a secure environment, you wouldn't let users choose which OS to run, and would use something like Windows AppLocker to restrict what users are allowed to execute. Home users will always be able to shoot themselves, but features like IE's SmartScreen help. A whitelist for home users (similar to Apple's App Store) would be even stronger, but regulators would probably never allow it, and determined users could always override it anyway (as they can with the iPhone)
        WilErz
    • RE: Microsoft is right to label WebGL 'harmful'

      @Cylon Centurion

      I think this is a possibility as well.
      josh92
    • All software poses a security concern

      The question is can they get their model and implementation right?

      Currently there are problems.
      Richard Flude
      • RE: Microsoft is right to label WebGL 'harmful'

        @Richard Flude Yeah but most software is abstracted away from the hardware via OS. Software doesn't directly access hardware on most OSes. When you get directly to the hardware you are much less secure. Analogy would be, for example, the difference between having to remotely attack a server to having physical access to the server. An attacker would haver more options in the latter case.
        DevGuy_z
    • urgent questions

      @Cylon Centurion <br>Was wondering why all that interest in our vote and our opinion about one more security issue, I really can't tell anything serious about it. Only the experts who looked in to this could.<br>But looking at other sources on the internet I now have some serious questions:<br>- Did Microsoft hired Context for this?<br>- Does Microsoft use a technology (Silverlight 5) that has basically the same risks?<br>- Do others use technologies with the same risks in IE without any reactions of Microsoft?<br>- Would WebGl and OpenGl threaten the vendor lock-in that Microsoft can establish with DirectX API?<br> - Why those weaknesses are presented so differently than others. Why the same general points were not raised about the other technologies that use the same methods?
      bezoeker
  • RE: Microsoft is right to label WebGL 'harmful'

    Without WebGL, vendors will look to alternatives like Flash, that will be much, much worse. Honestly, given the priority all three companies have made it, I trust my computer's security to Mozilla, Google and MS a lot more than I do Adobe.
    x I'm tc
    • RE: Microsoft is right to label WebGL 'harmful'

      @jdakula No, in case of WebGL, your security is at the hands of Nvidia and ATI. The video card industry had written so many buggy drivers that FireFox 4 had to maintain a white list to avoid crashing too much on user's computers. I wound not trust them for writing secure code.
      jiangsheng
      • RE: Microsoft is right to label WebGL 'harmful'

        @jiangsheng Yeah, especially because their test cycle is mostly non-existent. They send the driver over to an OEM like HP or Dell and let their QA team pound on it. One of my friends used to lead one of HP's workstation graphics QA teams... NVidia especially would send absolute crap.
        snoop0x7b
  • RE: Microsoft is right to label WebGL 'harmful'

    For Windows, you can disable WebGL in Firefox but for Chrome, you might want to go into Chrome folder which is in AppData folder in Windows Vista (sorry I cannot support Windows XP) and rename chrome.exe to chrome_real.exe and just create a new chrome.exe script and have it execute chrome_real.exe -disable-webgl and it should work but maybe not as I cannot be so sure about that.

    For Linux, I think it's the same for Firefox but in Chrome, I don't know the correct file name in /usr/bin but you can rename google-chrome to google-chrome.real and then touch google-chrome with nano (my preferred text editor; very easy to use for me):

    <pre>#!/usr/bin
    google-chrome.real -disable-webgl</pre>

    And that should work.

    IMO, I think this is even simpler for Linux users compared to Windows users, though, when working with Chrome. For Firefox, I must say it's pretty much regardless of the platform (Windows/Linux/Mac).
    Grayson Peddie
    • RE: Microsoft is right to label WebGL 'harmful'

      @Grayson Peddie
      For Chrome on windows, the option can be added to a desktop icon or start menu item. However if Chrome is your default browser follow the renaming strategy above. For FF you have to edit about:config, then browse to the relevant webgl setting (the setting varies by version, so set true or false accordingly). IMHO, these should be more accessible, via easily located settings or options.
      djhill8262
    • RE: Microsoft is right to label WebGL 'harmful'

      @Grayson Peddie

      <I>" (sorry I cannot support Windows XP)"</I>

      HOW DARE YOU! ;)
      The one and only, Cylon Centurion
  • RE: Microsoft is right to label WebGL 'harmful'

    "But wasn?t Microsoft the company that unleashed ActiveX onto unsuspecting Web users? Sure it was. Web-based ActiveX controls were a really bad idea, but I?d like to think that the company has learned from previous mistakes."

    And that's why IE9 has "ActiveX Filtering" now.
    Samic