Discussion Forums > Technology

New web browser exploit vector: WebGL

(1/2) > >>

Tiffanys:

--- Quote ---WebGL - A New Dimension for Browser Exploitation
James Forshaw
Summary

WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:

   1. A number of serious security issues have been identified with the specification and implementations of WebGL.
   2. These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
   3. Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
   4. These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
   5. Browsers that enable WebGL by default put their users at risk to these issues.


--- End quote ---

More here: http://www.contextis.co.uk/resources/blog/webgl/

Unless you actually want to see 3D stuff in your browser, and take the risk, you should disable WebGL. In Firefox, you can disable WebGL by typing about:config into the address bar, find webgl.disabled and set it to true.

mgz:
noscript noproblem

dogsinafen:
Even with noscript I'll still disabled this option... Thanks for the info.

AceHigh:
Thanks, peach.

NaRu:
its now off. Thanks for the tip

Navigation

[0] Message Index

[#] Next page