June 20, 2011 at 10:24Microsoft calls graphic technology used in Firefox and Chrome dangerous
- Transfer
An unusually harsh statement made by Microsoft says that the WebGL graphics technology promoted by the Khronos Group is too dangerous to have support on Windows.
Both Google Chrome and Mozilla Firefox currently ship with WebGL support. Google calls this "the most powerful way to add 3D graphics to web pages" and encourages developers to "experiment in the field of graphic development." Mozilla is positioning WebGL as the ideal technology for "interactive 3D games, rich graphics applications and a new approach to visual design without using third-party plug-ins."
In turn, Microsoft issued a statement entitled " WebGL consider harmful"on the official Microsoft Security Center blog. It was posted by the group responsible for the security architecture of Windows and other Microsoft products. The
statement came after a couple of reports that describe" serious design flaws "and" security issues "in WebGL. The latest post includes A demonstration of how user data can be stolen through a browser
Microsoft instantly responded with a very tough statement:
The report claims that WebGL support in a browser is "a direct way to expose hardware functionality to the web that is overly permissive." Graphics drivers cannot be dependent on compliance with security rules and there is no working model for ensuring the security of video card drivers. Given the prevalence of attacks using vulnerabilities in third-party products (for example, Adobe Flash and Java applications), this causes legitimate concern on the part of Microsoft.
Microsoft also claims that using WebGL allows you to implement a DoS attack scenario, which will give "the ability to any website to suspend the system or even reboot it at will."
In a post, Ari Bixhorn from the Internet Explorer team makes a direct attack against competitors:
In response to such attacks, the Khronos Group is trying to alleviate the situation regarding security issues, claiming that browser developers are working to comply with WebGL security requirements and the holes shown "are the result of an error in the implementation of WebGL in Firefox." This bug is reportedly fixed in Firefox 5, the final version of which will be presented before the end of the month.
A representative of the Khronos Group declined to respond to a Microsoft report, but noted that Mozilla, Firefox, and Opera all supported WebGL, while Apple announced limited support for WebGL in iOS 5.
A Google spokesman said the company did not consider WebGL a significant threat to its users. Most of the WebGL stack, including GPU processors, “runs in a separate process and is isolated in Chrome to prevent various types of attacks,” the spokesman said. Google claims that it will be able to withstand attacks at a lower level by working with suppliers of hardware, OS and drivers, disabling WebGL on those configurations that are considered unsafe.
Both Google Chrome and Mozilla Firefox currently ship with WebGL support. Google calls this "the most powerful way to add 3D graphics to web pages" and encourages developers to "experiment in the field of graphic development." Mozilla is positioning WebGL as the ideal technology for "interactive 3D games, rich graphics applications and a new approach to visual design without using third-party plug-ins."
In turn, Microsoft issued a statement entitled " WebGL consider harmful"on the official Microsoft Security Center blog. It was posted by the group responsible for the security architecture of Windows and other Microsoft products. The
statement came after a couple of reports that describe" serious design flaws "and" security issues "in WebGL. The latest post includes A demonstration of how user data can be stolen through a browser
Microsoft instantly responded with a very tough statement:
One of the functions of the Microsoft Security Center is to analyze various technologies, which allows you to understand how much this or that technology can directly affect Microsoft or its customers. As part of this strategy, we recently took a look at WebGL. The analysis concluded that Microsoft products that support WebGL are unlikely to meet the requirements of the secure software development process .
[...]
We believe that WebGL will become a source of vulnerabilities that will be difficult to fix. In its current state, WebGL is not a technology that Microsoft can support in terms of security.
The report claims that WebGL support in a browser is "a direct way to expose hardware functionality to the web that is overly permissive." Graphics drivers cannot be dependent on compliance with security rules and there is no working model for ensuring the security of video card drivers. Given the prevalence of attacks using vulnerabilities in third-party products (for example, Adobe Flash and Java applications), this causes legitimate concern on the part of Microsoft.
Microsoft also claims that using WebGL allows you to implement a DoS attack scenario, which will give "the ability to any website to suspend the system or even reboot it at will."
In a post, Ari Bixhorn from the Internet Explorer team makes a direct attack against competitors:
Users should understand that the security of their computers is in question when they go online using Google Chrome and Firefox. Due to the support of WebGL technology by these browsers, sites that distribute malicious programs gain access to the most protected parts of the computer. With security holes like this, it becomes clear that WebGL is not ready to become a standard, and therefore users should not use such browsers. Therefore, Microsoft Security Center recommended refraining from using WebGL in Microsoft products, such as Internet Explorer.
In response to such attacks, the Khronos Group is trying to alleviate the situation regarding security issues, claiming that browser developers are working to comply with WebGL security requirements and the holes shown "are the result of an error in the implementation of WebGL in Firefox." This bug is reportedly fixed in Firefox 5, the final version of which will be presented before the end of the month.
A representative of the Khronos Group declined to respond to a Microsoft report, but noted that Mozilla, Firefox, and Opera all supported WebGL, while Apple announced limited support for WebGL in iOS 5.
A Google spokesman said the company did not consider WebGL a significant threat to its users. Most of the WebGL stack, including GPU processors, “runs in a separate process and is isolated in Chrome to prevent various types of attacks,” the spokesman said. Google claims that it will be able to withstand attacks at a lower level by working with suppliers of hardware, OS and drivers, disabling WebGL on those configurations that are considered unsafe.