Dangerous WebGL Flaw Puts Firefox and Chrome Users at Risk

Security researchers have discovered a dangerous vulnerability in WebGL–a Web standard used by Firefox and Chrome to deliver 3D graphics within the Web browser. The flaws may be exploited to enable an attacker to run malicious code on the system, and could expose sensitive data.

Microsoft developed Internet Explorer 9 with hardware-accelerated graphics capable of tapping the power of the GPU to deliver more impressive graphics and 3D rendering that don’t impact the speed or performance of the browser. Rival browsers like Firefox and Chrome, though, have put their eggs in the WebGL basket, and that may be a serious issue for users of those browsers.

What is the risk? WebGL enables Internet-based programs to access the graphics driver and graphics hardware–exposing low-level core functions of the system to possible malicious exploits. The graphics hardware and drivers are not developed with security in mind, and are built with an inherent trust that the code that can access that level of the system must be safe.

Michael Jordon, Research and Development Manager at Context–the security research firm that discovered the WebGL issue–explains, “While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine.”

Jordon adds, “We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure.”

Tyler Reguly, Technical Manager of Security Research and development for nCircle, commends Context for the work it has done, but at the same he is shocked that this is news. Reguly notes that there has been ongoing debate about the security weaknesses of WebGL for years.

Reguly says the WebGL security risk is a prime example of what is wrong with computer and network security in general. “This security vs. usability trade-off is one of the oldest discussions in information security. In my opinion, the security industry simply did a bad job of communicating the risk of this particular trade-off to the end users.”

Firefox 4 has been downloaded more than 115 million times and counting since its release, and Chrome has been steadily gaining ground on both Firefox and Internet Explorer in browser market share. Combined, the two account for a third of the market in terms of browser usage.

Users can disable WebGL to prevent any potential exploits, but doing so will impact the capabilities of the browser and the Web experience overall. In the long term, the WebGL standard itself needs to be re-engineered to protect against the risk of malicious code using it as a gateway to the core of the system.