IDG News Service - The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk and IT managers should consider disabling it, a security consultancy has recommended.
The flaws researched by UK consultancy Context Information Security are serious enough, the company said, to allow an attacker to compromise the attacked PC through the poorly defended graphics card layer, or at the very least crash the system to make it more vulnerable to exploits.
The company refused to offer details of the specific vulnerabilities it had experimented with but confirmed that it had been able to exploit systems using proof-of-concept attacks with certain graphics cards in a way -- kernel mode -- that breached the most secure ring of an OS.
"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," said Context Research and Development Manager Michael Jordon.
"While this may be true for local applications, the use of WebGL-enabled, browser-based applications with certain graphics cards now poses serious threats from breaking the cross-domain security principle to denial of service attacks, potentially leading to full exploitation of a user's machine," Jordon said.
The most serious of Context's claims is that the flaws in WebGL are inherent to its architecture and will therefore be extremely difficult to fix.
"In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers; but the only long-term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks," Jordon said. The company believes that WebGL was not suitable for mass adoption.
WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets. The easiest way to work out whether a specific card/browser combination is supported is to try to run WebGL graphics using one of a number of public project pages
using a supported browser or attempting to run Context's own proof-of-concept demo. A failure on these should mean that the machine is safe unless support is added at a later date.
Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts