Claims that the WebGL graphics standard used by Firefox and Chrome has serious security flaws have been countered by the industry body looking after development of the technology.
A blog post by The Khronos Group said that some of the issues raised earlier this week by UK security consultancy Context Information Security either had or were about to be addressed by software and standards updates.
According to Khronos, the potential Context had uncovered for an attacker to cause the graphics to lock up through the browser had already been addressed by the ‘GL_ARB_robustness’ extension to the OpenGL standard from which WebGL is derived.
The problem, said Khronos, was that only a handful of graphics card vendors had produced drivers to support this. “Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future,” said Khronos.
As for the cross-domain image vulnerability issue, Khronos said that the WebGL working group was considering “Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability.”
Furthermore, using a technology such as WebGL in browsers offered a way for the graphics card vendors to become more aware of the importance of security at this layer of the operating system.
A response sent to Techworld by Context pointed out the dangers of assuming that graphics card vendors were interested in or able to deal with these issues.
“The use of GL_ARB_robustness will push more responsibility onto the graphics card manufacturers to provide stability and security, which as mentioned in the blog, is of concern as it in turn shifts the responsibility for web security onto graphic driver manufactures,” said Context researcher, Michael Jordon.
“The fundamental halting problem of providing GPU code to a graphics card is not fully mitigated by the use of lockup recovery because the GPU code has already caused the problem before the graphics card is reset,” he said.
"However GL_ARB_robustness will reduce the impact of the Denial of Service issue. The use of CORS would prevent the breaking of the cross domain image problem and we believe this would be a good approach.”
Given that Context has recommended disabling support for WebGL in those graphics cards and browsers that support it (current versions of Firefox and Chrome and development versions of Safari) perhaps the biggest problem is peering through the programming debate to quantify the real risks.
The UK consultancy is right to point out that the graphics layer becomes dangerous if it is being given tasks within browsers that can slip by the OS kernel mode, but it is also true to say that no attacks exist and few users can currently even access WebGL.
A test for WebGL support in browsers can be found on various sites.