The email of the species is deadlier than the mail
|
|
|
Microsoft claims WebGL makes consumer PCs DDoS targets
PROPRIETARY SOFTWARE DEVELOPER Microsoft has slammed the WebGL graphics standard as allegedly insecure.
Microsoft's security research and defense group said that its research into WebGL had concluded that it "would have difficulty passing Microsoft's Security Development Lifecycle requirements". Microsoft then rattled off its security concerns with WebGL, mainly surrounding its low level access to hardware.
WebGL was originally a Mozilla-based effort, but now the Khronos development consortium oversees development with WebGL integrated into Mozilla's Firefox and Google's Chrome web browsers. While companies such as AMD, Apple, ARM, Intel, Nokia, Nvidia, Oracle, Samsung and Sony are part of Khronos, Microsoft isn't.
Microsoft said that the security of WebGL is dependant on "lower levels of the system, including OEM drivers". It claims that while the risk can be mitigated, "the large attack surface exposed by WebGL remains a concern". Interestingly, Microsoft said that certain video card vendors might be more prone to security vulnerabilities than others, though it did not finger any suspects.
Aside from video card driver vulnerabilities, Microsoft said that WebGL generally relies too heavily on third parties to provide secure website viewing. The problem is a manifestation of the graphics card driver issues Microsoft mentioned previously, saying that hardware vendors could decide to block web content in order to prevent users from being affected by security vulnerabilities.
Microsoft said, "Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process."
Certainly AMD and Nvidia would argue, correctly, that they issue driver updates far more frequently than once a year, but Microsoft might point to the percentage of users that actually update their software regularly, which is likely to be very low.
Microsoft is also worried that operating systems do not adequately defend against attacks that make use of "attack-supplied shaders and geometry". It claims that WebGL might lead to consumer PCs becoming targets for denial of service attacks.
After all that, Microsoft judged that WebGL "will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."
Perhaps Microsoft should join the Kronos Group to try to change the 'current form' of WebGL if it doesn't want to deal with alleged vulnerabilities it claims to be so worried about. µ
Tags: Microsoft
Share this:
Share
They were happy to rely on the “security” of drivers to maintain the “Protected Data Path” for DRM’d HD video in Windows Vista and Seven, yet now suddenly it’s not good enough for WebGL.
"If you ignore their motives they are right to point out that WebGL is a large and mostly unprotected attack surface."
Windows itself is an even larger attack surface that gets exploited on a regular basis.
If Microsoft was as good at recognizing possible security vulnerabilities as they purport to be, Windows wouldn't be the turd that it is today.
All those Linux whores commenting here don't even have working OpenGL drivers so they won't be vulnerable to WebGL attacks, right? Security by obscurity, we all heard of that.
What, you have working OpenGL?
Then you are using binary drivers which TAINT your kernel. Zomg! You are not TRUE Linux whores if you don't use incomplete and unstable free open-source video card drivers! Your ass is mine bitches!
http://www.trustworthycomputing.com/
YAWN! It Microsoft so they MUST be talking rubbish.
The comments made by Microsoft make a lot so sense. But I guess some of the commentors know much better!
Hope you're all ruuning Linux? No?
If you ignore their motives they are right to point out that WebGL is a large and mostly unprotected attack surface.
It's in Microsofts power to release their WHQL certified graphics drivers as critical updates to users. I doubt OEM's disable windows update.
But i do agree that any webpage have access to so much gfx power is dangerous. Some stressing gfx benchmarks have managed to cause graphics card meltdown. A webgl "virus", i suspect, could do the same.
Didn't MS have the same problem with WMF files because they just dumped the contents to the GDI and that could act on executable code embedded in the file?
I suspect the solution will be the same as MS did with WMF and everyone does with practically everything else; not trusting the file and bounds checking everything.
ActiveX inventor claims WebGL makes consumer PCs DDoS targets
For this to work safely, we really need a reliable security system -inside- the graphics processor's little universe. How about that!
It's absurd to worry about the security of Adobe Reader and not about WebGL.
Another FUD campaign against OpenGL so they can push DirectX instead?
Well, I guess it worked last time. Except this time they don't have DirectX as an alternative.