NoScript Options->Forbid WebGL
An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned. The vulnerability, reported Thursday by UK-based Context Information Security, is …
To sum up so you don't actually have to look if you don't want to:
Firefox 4: "about:config" and change the setting "webgl.disabled" to true.
Chrome Windows: add "--disable-webgl" to the end of the "Target" parameter in the shortcut.
Chrome OS X: see instructions here...
Didn't see any Linux instructions but if anyone knows, have at.
Assuming Linux suffers from this issue, by the sounds of it it would.
Just checked FF and the options are the same on a Linux.
So basically they're trying to turn Firefox into Adobe Reader.
Most of the modern browsers all have hardware acceleration (IE9+, Opera 11+, Mozilla 4+, Chrome 11 or 12+) and this will probably mean you will see security issues in video-card drivers being exploited.
I don't believe Open-/WebGL is an exception.
IE uses DirectX API's for it's graphics, therefore the OS provides the security as the browser doesn't touch any drivers or hardware directly / without going through the OS security model.
WebGL allows the browser to talk straight to the graphics drivers, bypassing any security put in place by the OS.
MIcrosoft's point is that people can own your whole screen, kernel-panic / bsod the OS or reboot the machine by 3rd party OEM's providing buggy drivers. If the OS provides secured API's (such as DirectX) then another layer of security is introduced.
And as much as this may not be a popular view, I'd rather have a Microsoft API layer inbetween some chipset drivers and my browser thanks.
Not to mention the headache for non-geeks to update video drivers compared to updating DirectX via Windows Update.
WebGL is a nominally API independent expose of the underlying 3D hardware directly accessible from JS. Browsers that implement hardware acceleration do it at different depths (Composition only, primitive rendering) and with different levels of exposure to installed plug-in.
IE9 supports hardware accelerated primitive rendering and hardware accelerated composition but does not expose WebGL. The extra level of indirection going through Canvas or the DOM limits the amount of access to the hardware. This doesn't mean indirect exploits are completely impossible, but it is a lot less exposure than being able to pass a shader directly to a driver to be executed on the GPU.
Only on Windows or Mac? Does that mean Mozillas WebGl merely finds flaws in their API's?
I suspect that if an app (FF) can access the graphics in other apps the problem is not actually with WebGL but the underlying windowing system and this surreptitious cut and paste will rapidly reappear in malicious code now it has been exposed.
MS found a vulnerability, jolly good. Did they report it to Khronos/Mozilla/Google and give them time to fix before they went public? Or did they just publish? (And only a short while after IE9 was spunked out - curious).
The story does not say, and it's an important question. Or should zero-days on MS products now be made public as a matter of course?
Microsoft didn't find the vulnerabilites - they produced a "general" report suggesting the tech would be vulnerable. Someone else found the actual vulnerabilities.
It was "Context Information Security" who published the big report, MS who did some light-weight review.
But the question remains - Did they report it to Khronos/Mozilla/Google and give them time to fix before they went public?
So basically these guys are making a lot of noise about a bug they found in a beta of FF5? Right...
Good thing not all beta testers do this :)
"Microsoft has instead relied on a home-grown technology known as Direct3D to make graphics faster in its applications."
"Microsoft has instead relied on a home-grown technology known as Direct3D to embrace and extend, and ensure games are hard to port to other OS apart from xbox."
However, the above is just random naivety. DirectX was around about, what, 10 years or so before they started on the Xbox? It came about as a way of unifying hardware in general for games development on the Windows platform. Even though early versions were quite atrocious, they stuck it out and actually created something worth using. It's becoming less relevant today because other platforms are gaining more ground and PC gaming is falling by the wayside a bit in comparison to consoles, but there's no doubt that without DirectX you probably wouldn't have the same sort of progress in hardware and software that has led us to the point we're at now.
There was fuck all wrong with OpenGL when MS invented D3D. The sole reason to do it was to lock developers into their toolchain, keep games exclusive to windows, and tie in the whole PC gaming experience to an MS license, which came in handy when they decided to do xbox - I never said they did it *for* xbox.
BTW, I don't 'hate' MS but you are being foolish if you don't think D3D is a purposeful lock in mechanism that MS have benefited from.
DirectX was intended to more directly target the hardware AND moves control of the primitives from the vendors control to the OS vendor's. Take a look at the exposed capabilities for lower end cards on each API and draw your own conclusions - especially from DX10 up. Indeed some of the reason the early versions were a bit nightmarish to program was that it force the application to do a little bit too much....
It also fixed some basic issues with GL such as thread-based versus explicit contexts... and like it or not, DirectX 10 is pretty far from standard GL in terms of how it completely removed the fixed function pipeline.
The makers of Internet Exploder, one of the most security-hole-prone pieces of software in history, lecturing on the insecurity of competitor browser tech, is rather cheeky.
For the last few years, the "security-hole-prone pieces of software in history" award has belonged to Firefox. some years, it has more exploits than several of it's competitors combined. I think in 08, Firefox averaged an exploit every 3-4 days (that takes some doing!) And who can forget Firefox 3's release, complete with exploit they carried over from firefox2....
Why people still defend that slow POS I'll never know. Maybe it's because it's open source (although since they don't tend to read the source, they're still trusting someone elses word), perhaps the plugins (although releasing such a huge browser that doesn't actually do much and is slow, and THEN to have to add all that extra code on top isn't much of a plus for me)
Oh, I know what it is. It's the MILLIONS of dollars spent advertising firefox, telling people they should run it.
"...to be stolen by an attacker by reading unitialised data from graphics memory". First, I'm wondering what "unitialised data" are. Supposing they mean uninitialised memory, it's impossible to "steal" data from uninitialised memory - by definition it doesn't contain data as you haven't put any there. If they mean residual data from previous memory writes, they should say so. This looks like sloppy thinking. But most of the problems we face in IT security result from sloppy thinking - this is just another example of it.
memory not re-initialised to zeroes - or to random state - after previous use.
I suspect it's like flash memory cards - where any space that's previously been stored is liable to exist as multiple copies of the data in separate blocks of memory cells. But this is inaccessible, normally...
You can see my Apple may want this feature to be avaiable for serving ads, they can do a quick screen grab, run it through ocr and find out what you might be interested in based on what you are doing :-(
ok, it was a poor joke, what do you expect after a week at work.
"Microsoft products that implemented WebGL would have a tough time passing the company's rigorous Security Development Lifecycle, the analysis added."
Wait a moment for the laughter to die down!
Ultimately, "more performance" is required for whatever superfluous "design" product has been deployed, and then there's the risk of duplicating Microsoft's own architectural mistakes as more technology is dragged in and pushed to the fore. For once, you can't blame Microsoft for not wanting to implement what are actually de-facto standards which actually originate from proprietary software vendors Opera and (although not completely applicable to WebKit) Apple.
Does "OpenCL" - repeat CL - have similar possible problems?
Conversely, is pointing out the problems a strike by Microsoft against ARM?