As safe as ActiveX?
That is reassuring.
It didn't take long for researchers to pooh pooh last week's advisory that claimed that hard-to-fix design flaws in the emerging WebGL 3D standard seriously imperiled end users who relied on it. Surprisingly, the most outspoken critic of the analyses, published Thursday by UK-based Context Information Security and Microsoft's …
That is reassuring.
I was also wondering when this happened:
"which for years were among the most exploited Internet Explorer browser component until Microsoft figured out a way to lock them down"
ActiveX controls were 'locked down' from Internet Explorer 4.0 onwards through the use of Security Zones with different options per zone, and the requirement to mark the control as Safe For Initialization and/or Safe For Scripting before it could be initialized with parameters, or referenced in scripts, respectively.
The problems since then have been vulnerabilities in the implementations, sites being able to load in different zones with weaker defaults to load code *not* marked safe, and numerous controls marked safe that in fact were not. I suspect there may have been templates or wizards at one time that made it very easy to add the markings, although I haven't found any shipped with VS 6.0 (1998) or later, at least at the current service pack level. Microsoft have essentially created a blacklist of components not loadable by IE (kill bits).
Later versions of IE reduced the default permissions for the Local Computer zone to be more restrictive than The Internet, defeating many 'zone migration' attacks. The level of prompting for 'missing' controls has changed, throwing fewer prompts, and the few prompts are less obtrusive. Since IE 8, the browser has a user-controllable whitelist of permitted controls. The defaults prevent controls from being run, although all controls that were already on the system at install time are permitted. IE 9 allows a 'run only on this website' and allows ActiveX to be disabled completely, allowing it to be re-enabled on a site-by-site basis. Many commentators were surprised that this stops Flash from working (I consider that a benefit).
Since Windows Vista, IE 'Protected Mode' loads browser and ActiveX code into a lower-rights process that can only write to restricted areas of the disk. Well, unless you've turned off User Account Control.
All browsers have some binary extension mechanism, but they don't run into the problem that IE has, that the extension mechanism is the same as that for a vast quantity of software installed on the host OS, and that a lot of that software is misconfigured and potentially vulnerable.
Wait! Microsoft has a Security Development Lifecycle?
and we've all heard about it because it's been so successful....
"Hey this is really safe!"
"But then people will be inconvenienced and won't be able to run old applications...."
"Oh. Disable it then."
WebGL brings my machines to a crawl, for even moderately sized models*, in a way that VRML/X3D never did. So further optimisation *and* security fixes needed.
(*your polygon count may vary).
I'm not quite sure what to make of this article.
"Microsoft's WebGL claims bashed by own employee". Really? In the quotes you use, he didn't bash them at all. Quite the opposite. He said "no official policy against webgl" - ie, trying to imply their original "report" was fair and balanced. He said webgl is very new and likely to be buggy. You then quote Mozilla as agreeing with this and summarise that WebGL should welcome MS with open arms as a development partner because of their experience securing Active X and the fantastic security in Silverlight.
This whole thing could be straight out of the MS press release machine.
what they are really saying is anything that access the graphics engine can read memory for anything else in the graphics engine because they haven't put any security in at that level. Its not the WebGL thing in particular - it just happens that that has a lot of test suites etc that can be run to show where things are going wrong.
This also goes for just about any GUI - there is a secure X11 but I don't think anyone uses it - after all computings easy isnt it - who wants to bother about security at every level?
What they are hoping is that by blaming the messenger (WebGL) they will slow the messengers adoption.
Silly Avi Bar-Zeev... he took Microsoft's "concerns" at face value rather than seeing them as the FUD that they really are!
which is to disable the damned thing and leave it that way. I can't think of a single browser-based application I'd want to run that would benefit from real-time 3D rendering. There are small domains where it might be justified, but for most users it's a pointless waste of resources, even without the security concerns.
Of course, I worked on 3D extensions for X11 twenty years ago, so it may just be that I'm no longer impressed by eye candy.