WebGL in Chrome and Firefox is a serious security risk

A WEB STANDARD enabled by default in the Firefox 4 and Google Chrome web browsers has serious security issues, according to an independent security consultancy.

WebGL, which stands for web-based graphics library, is a software technology that allows you to bring hardware-accelerated 3D graphics to a web browser without the need for additional software. Enabled in the latest versions of Chrome and Firefox, it can also be switched on in Safari and Opera.

Context Information Security consultant James Forshaw said there are a number of serious security issues with the specification and implementation of WebGL.

He said, "These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the graphic processor unit (GPU) and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable."

Forshaw claimed that there are other dangers with WebGL that put user data, privacy and security at risk, adding, "These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design."

"Fundamentally, WebGL now allows full programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer."

He said that denial of service attacks are already a well known WebGL security issue, and that some operating system crashes that the firm has observed created potentially exploitable conditions. µ