404 Tech Support

Where IT Help is Found

You are here: Home / Articles / News / WebGL In The News For Security Concerns in Firefox 4 and IE9

WebGL In The News For Security Concerns in Firefox 4 and IE9

The Mozilla Security Blog announced yesterday that there is a security concern with WebGL in Mozilla Firefox 4. It could allow attackers to capture screenshots of a visitors browser, including private information.

The problem is specific to Firefox’s implementation of WebGL, not a vulnerability in WebGL itself. A fix will be included in the next update to Firefox, which is scheduled for Tuesday, June 21st. In the meantime, Mozilla recommends that users either update to the Firefox Beta or disable WebGL. To disable it, in Firefox 4’s address bar type about:config. Then type webgl in the filter line and toggle the webgl.disabled to true by double-clicking on the value.

Nine hours before Mozilla’s statement was published, Microsoft’s Security Research & Defense blog posted an article simply titled WebGL Considered Harmful. The article goes on to details three key concerns Microsoft has with WebGL and how they believe it will become a recurring source of hard-to-fix vulnerabilities. (ed. note: Yet, Adobe Flash and Reader…)

The full article goes into much greater detail so be sure to give it a read, but the bullet points of their concerns include:

  • Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
  • Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
  • Problematic system DoS scenarios

In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.

We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment.

Two strikes in one day against WebGL, will it last if opinion turns on it? The two articles on the same day are not coincidental. Context Information Security LTD published an article in May calling WebGL a new dimension for browser exploitation. In almost a self-fulfilling prophecy, ContextIS published an update yesterday which demoed further WebGL security flaws – including the screenshot capture exploit Mozilla is patching in Firefox 4.

 

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Follow Us

Recent Posts

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.