WebGL security flaws: Context responds
Context Information Security's claim that HTML5's WebGL represents a security risk has been widely reported this week, with more than 30 items appearing in Google News, and Context has now responded with a sort of "Frequently Asked Questions" post. WebGL is used to deliver accelerated 3D graphics in Canvas, and is promoted by Google for web-based applications programming. If the flaws are indeed inherent to WebGL's architecture, as Context says, then it could be extremely hard to produce satisfactory fixes. This could be a significant problem because WebGL is not just cross-platform -- it's supported on Microsoft Windows, Linux, and Mac OS X -- but expected to be cross-device, appearing on other products such as tablets and smartphones.
As I reported on May 9, Context said WebGL's design flaws give "potentially malicious web pages low level access to graphics cards that could provide a ‘back door’ for hackers and compromise data stored on internet-connected machines". Then, in an update, I noted the response from the multi-vendor Khronos Group, WebGL Security, which said it "has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content", and that it was "considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability".
On May 11, the United States Computer Emergency Readiness Team said: "US-CERT encourages users and administrators to review the Context report and update their systems as necessary to help mitigate the risks."
In WebGL - A New Dimension for Browser Exploitation - FAQ, Context's James Forshaw has now responded with "further information to aid in the understanding of the issues". Briefly, the London-based company doesn't think resetting the graphics card (GL_ARB_robustness) is a useful response to what's effectively a Denial of Service (DoS) attack. With regard to the other problem, it says: "Context would recommend the use of a mechanism to manage cross-domain images for example the requirement of CORS within WebGL".
The FAQ also provides a guide to disabling WebGL in Chrome 9 and Firefox 4, which are potentially at risk. On Apple's Safari, the FAQ says: "Unless you are using a nightly builds of WebKit, WebGL is not easily available and requires a user preference setting to enable. Therefore you do not need to actively disable it at the moment."