WebGL is just too dangerous to support, says Microsoft
Microsoft Security Response Center (MSRC) Engineering has concluded that WebGL, the royalty free cross-platform API for browser-based 3D graphics, is "overly permissive," insecure, and potentially harmful to machines using it. Development of the technology was spearheaded by Mozilla, Google, Opera, AMD, and Nvidia, and was endorsed by the Khronos Group.
Based upon an MSRC Engineering review, and using two Context Information Security reports as supportive evidence, Microsoft on Thursday said it cannot endorse the use of WebGL in its current form.
Because the technology utilizes hardware acceleration, Microsoft believes that WebGL exposes much more of a user's system than previously, and could result in remote compromise. Furthermore, Microsoft says the security servicing model for video card drivers "is just not compatible with the needs of a security update process." This means when vulnerabilities are discovered in video cards, there isn't a simple security update that can be run because the driver rules differ from one piece of hardware to the next.
Finally, Microsoft says the technology opens the door for client-side attacks that operating systems just aren't prepared for. Context IS has built a number of proof of concept exploits over the last few months that show WebGL to be vulnerable to client side denial of service attacks. In short, it is possible to create shader programs with complex 3D geometry that end up consuming all of the client's GPU resources.
"Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat." MSRC Engineering said.
WebGL is currently available in Chrome and FIrefox. Opera has released the technology as a demo, but hasn't woven it into an Opera release yet, but recently showed off its implementation of WebGL for gaming purposes.