back to article Firefox web 3D engine fosters image theft bug

An industry standard graphics engine recently added to Mozilla's Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer just by visiting a booby-trapped website, security researchers have warned. The vulnerability, reported Thursday by UK-based Context Information Security, is …

COMMENTS

This topic is closed for new posts.
  1. Chris 244
    Go

    NoScript Options->Forbid WebGL

    See above.

  2. Eddy Ito

    Disable instructions

    To sum up so you don't actually have to look if you don't want to:

    Firefox 4: "about:config" and change the setting "webgl.disabled" to true.

    Chrome Windows: add "--disable-webgl" to the end of the "Target" parameter in the shortcut.

    Chrome OS X: see instructions here...

    http://superuser.com/questions/271678/how-do-i-pass-command-line-arguments-to-dock-items

    Didn't see any Linux instructions but if anyone knows, have at.

    1. The BigYin

      Probably the same

      Assuming Linux suffers from this issue, by the sounds of it it would.

      Just checked FF and the options are the same on a Linux.

  3. Old Handle
    Facepalm

    Wonderful

    So basically they're trying to turn Firefox into Adobe Reader.

  4. SilentLennie

    hardware acceleration

    Most of the modern browsers all have hardware acceleration (IE9+, Opera 11+, Mozilla 4+, Chrome 11 or 12+) and this will probably mean you will see security issues in video-card drivers being exploited.

    I don't believe Open-/WebGL is an exception.

    1. The Original Steve
      Stop

      Not quite true

      IE uses DirectX API's for it's graphics, therefore the OS provides the security as the browser doesn't touch any drivers or hardware directly / without going through the OS security model.

      WebGL allows the browser to talk straight to the graphics drivers, bypassing any security put in place by the OS.

      MIcrosoft's point is that people can own your whole screen, kernel-panic / bsod the OS or reboot the machine by 3rd party OEM's providing buggy drivers. If the OS provides secured API's (such as DirectX) then another layer of security is introduced.

      And as much as this may not be a popular view, I'd rather have a Microsoft API layer inbetween some chipset drivers and my browser thanks.

      Not to mention the headache for non-geeks to update video drivers compared to updating DirectX via Windows Update.

  5. Tinker Tailor Soldier
    FAIL

    Hardware Acceleration isn't always WebGL

    WebGL is a nominally API independent expose of the underlying 3D hardware directly accessible from JS. Browsers that implement hardware acceleration do it at different depths (Composition only, primitive rendering) and with different levels of exposure to installed plug-in.

    IE9 supports hardware accelerated primitive rendering and hardware accelerated composition but does not expose WebGL. The extra level of indirection going through Canvas or the DOM limits the amount of access to the hardware. This doesn't mean indirect exploits are completely impossible, but it is a lot less exposure than being able to pass a shader directly to a driver to be executed on the GPU.

  6. Tom 7

    Very old object of 20 stellar masses calls kettle black.....

    Only on Windows or Mac? Does that mean Mozillas WebGl merely finds flaws in their API's?

    I suspect that if an app (FF) can access the graphics in other apps the problem is not actually with WebGL but the underlying windowing system and this surreptitious cut and paste will rapidly reappear in malicious code now it has been exposed.

  7. The BigYin

    Here's a thing

    MS found a vulnerability, jolly good. Did they report it to Khronos/Mozilla/Google and give them time to fix before they went public? Or did they just publish? (And only a short while after IE9 was spunked out - curious).

    The story does not say, and it's an important question. Or should zero-days on MS products now be made public as a matter of course?

    1. Rob Moir

      Read the article carefully

      Microsoft didn't find the vulnerabilites - they produced a "general" report suggesting the tech would be vulnerable. Someone else found the actual vulnerabilities.

      1. The BigYin

        My mistakes

        It was "Context Information Security" who published the big report, MS who did some light-weight review.

        But the question remains - Did they report it to Khronos/Mozilla/Google and give them time to fix before they went public?

  8. petur
    FAIL

    Bug in beta version?

    So basically these guys are making a lot of noise about a bug they found in a beta of FF5? Right...

    Good thing not all beta testers do this :)

  9. Anonymous Coward
    Anonymous Coward

    Let me fix that for you

    "Microsoft has instead relied on a home-grown technology known as Direct3D to make graphics faster in its applications."

    "Microsoft has instead relied on a home-grown technology known as Direct3D to embrace and extend, and ensure games are hard to port to other OS apart from xbox."

    1. Shakje
      Thumb Down

      You can hate MS as much as you want...

      However, the above is just random naivety. DirectX was around about, what, 10 years or so before they started on the Xbox? It came about as a way of unifying hardware in general for games development on the Windows platform. Even though early versions were quite atrocious, they stuck it out and actually created something worth using. It's becoming less relevant today because other platforms are gaining more ground and PC gaming is falling by the wayside a bit in comparison to consoles, but there's no doubt that without DirectX you probably wouldn't have the same sort of progress in hardware and software that has led us to the point we're at now.

      1. Anonymous Coward
        Thumb Down

        You can love em all you like too

        There was fuck all wrong with OpenGL when MS invented D3D. The sole reason to do it was to lock developers into their toolchain, keep games exclusive to windows, and tie in the whole PC gaming experience to an MS license, which came in handy when they decided to do xbox - I never said they did it *for* xbox.

        BTW, I don't 'hate' MS but you are being foolish if you don't think D3D is a purposeful lock in mechanism that MS have benefited from.

        1. Tinker Tailor Soldier
          Trollface

          Revisionist, I like it...

          DirectX was intended to more directly target the hardware AND moves control of the primitives from the vendors control to the OS vendor's. Take a look at the exposed capabilities for lower end cards on each API and draw your own conclusions - especially from DX10 up. Indeed some of the reason the early versions were a bit nightmarish to program was that it force the application to do a little bit too much....

          It also fixed some basic issues with GL such as thread-based versus explicit contexts... and like it or not, DirectX 10 is pretty far from standard GL in terms of how it completely removed the fixed function pipeline.

  10. lurker

    Whether MS are right or wrong..

    The makers of Internet Exploder, one of the most security-hole-prone pieces of software in history, lecturing on the insecurity of competitor browser tech, is rather cheeky.

    1. Andrew Norton
      Gimp

      Your fanboi is showing

      For the last few years, the "security-hole-prone pieces of software in history" award has belonged to Firefox. some years, it has more exploits than several of it's competitors combined. I think in 08, Firefox averaged an exploit every 3-4 days (that takes some doing!) And who can forget Firefox 3's release, complete with exploit they carried over from firefox2....

      Why people still defend that slow POS I'll never know. Maybe it's because it's open source (although since they don't tend to read the source, they're still trusting someone elses word), perhaps the plugins (although releasing such a huge browser that doesn't actually do much and is slow, and THEN to have to add all that extra code on top isn't much of a plus for me)

      Oh, I know what it is. It's the MILLIONS of dollars spent advertising firefox, telling people they should run it.

  11. Mike 137 Silver badge
    Stop

    Unitialised Data?

    "...to be stolen by an attacker by reading unitialised data from graphics memory". First, I'm wondering what "unitialised data" are. Supposing they mean uninitialised memory, it's impossible to "steal" data from uninitialised memory - by definition it doesn't contain data as you haven't put any there. If they mean residual data from previous memory writes, they should say so. This looks like sloppy thinking. But most of the problems we face in IT security result from sloppy thinking - this is just another example of it.

    1. Robert Carnegie Silver badge

      I suppose it does mean,

      memory not re-initialised to zeroes - or to random state - after previous use.

      I suspect it's like flash memory cards - where any space that's previously been stored is liable to exist as multiple copies of the data in separate blocks of memory cells. But this is inaccessible, normally...

  12. vic 4
    Unhappy

    Useful for Ads!

    You can see my Apple may want this feature to be avaiable for serving ads, they can do a quick screen grab, run it through ocr and find out what you might be interested in based on what you are doing :-(

    1. vic 4
      Unhappy

      voted down?

      ok, it was a poor joke, what do you expect after a week at work.

  13. Anonymous Coward
    Facepalm

    The rush for shiny

    "Microsoft products that implemented WebGL would have a tough time passing the company's rigorous Security Development Lifecycle, the analysis added."

    Wait a moment for the laughter to die down!

    But they do have a point somewhere in all this: in the rush to replicate an entire desktop environment (or whatever the cool kids call it these days) in the browser, a lot of the more considered thought has been discarded in favour of more instantly gratifying shiny. Hence there being no interest in pushing stuff like SVG or XForms any further, instead having stuff like the canvas element pushed out to the masses with a bunch of 1980s microcomputing-style primitives and a JavaScript program on every Web page spinning the CPU at 100%.

    Ultimately, "more performance" is required for whatever superfluous "design" product has been deployed, and then there's the risk of duplicating Microsoft's own architectural mistakes as more technology is dragged in and pushed to the fore. For once, you can't blame Microsoft for not wanting to implement what are actually de-facto standards which actually originate from proprietary software vendors Opera and (although not completely applicable to WebKit) Apple.

  14. Robert Carnegie Silver badge

    By the way,

    Does "OpenCL" - repeat CL - have similar possible problems?

    Conversely, is pointing out the problems a strike by Microsoft against ARM?

This topic is closed for new posts.

Other stories you might like