Microsoft calls the graphics technology that are used in Firefox and Chrome, dangerous
Microsoft made an unusually sharp statement that graphics technology WebGL, which has been promoted by the Khronos Group, is too dangerous in order to be supported in Windows.
Currently both browsers Google Chrome and Mozilla Firefox are provided with support of WebGL. Google calls this “the most powerful way to add 3D graphics on the web pages”and appeals to the developers “explore the field of graphic development “. Mozilla positions WebGL as the ideal technology for “interactive 3D games and applications with the rich graphics and realization of a new approach to the visual design without using other software components”.
In turn, Microsoft has published a statement entitled as “WebGL considered harmful” in the official blog of Microsoft Safety Center. It was published by a group that is responsible for the organization of security of Windows and other products Microsoft.
The statement was made after a pair of reports that describe the “serious design flaws” and “security problems” in WebGL. Last report includes a demonstration of how user data can be stolen through browser.
Microsoft quickly responded by a very strong statement:
One of the functions of the Microsoft Safety Center is to analyze the different technologies, which allows understanding how much one or other technology can affect directly Microsoft or its users. As part of this strategy, recently WebGL was analyzed too. The analysis led to the conclusion that the products of Microsoft, which are supporting WebGL, hardly could meet the requirements of the process secure software development.
WebGL will be a source of vulnerabilities that will be difficult to fix. In the current condition WebGL is not the technology, which Microsoft could support in terms of security.
The report states that support for WebGL in the browser is the “direct method of opening of the hardware functionality in a web, which is overly permissive”. Graphics drivers cannot be dependent on compliance with the safety regulations and there is no working model to ensure the safety of video cards drivers. Considering the prevalence of attacks using vulnerabilities in other products (for example, Adobe Flash and Java-based applications), it is a legitimate concern from Microsoft.
Microsoft also states that the use of WebGL allows carrying out a scenario for DoS attack, which will make “possible to any Web site to suspend the system or reboot it at its own wish.”
In its report, Ari Bixhorn from a team of Internet Explorer makes a direct attack against the competitors:
Users should understand that the security of their computers is questionable, when they go to the Internet using Google Chrome and Firefox. Because of these browsers support the technology of WebGL, sites that distribute the malicious programs gain access to the most protected parts of a computer. With holes in security like this, it becomes clear that WebGL not ready for what would become the standard, so users should not use these browsers. Therefore, Microsoft Safety Center recommended refraining to use the products of WebGL in Microsoft products, for example Internet Explorer.
In response to such attacks, Khronos Group is trying to smooth over the situation with respect to security, arguing that the browser developers are working on compliance and security requirements of WebGL and the demonstrated holes are “the result of error in the realization of WebGL in Firefox”. It is reported that this bug is fixed in Firefox 5, the final version of which will be presented to the end of the month.
The representative of the Khronos Group has refused to respond to the report of Microsoft, however noticed that the Mozilla, Firefox, and Opera all support WebGL, but Apple announced the limited support of WebGL in iOS 5.
Google’s representative said that the company does not consider WebGL as a significant threat to its users. Most of the stack of WebGL including GPU processors run in a separate process and is isolated in Chrome to prevent various types of attacks. Google states that it can withstand to the attacks on the lower level, working with the suppliers of hardware, operating systems and drivers, disabling WebGL on those configurations that will be considered unsafe.
|Vote for this post
Bring it to the Main Page