Wednesday, May 11, 2011

Turn off WebGL in new browsers

As is typical of a new standard, after it has been out for a while people start discovering security flaws.  WebGL is no exception.  If you are running Firefox 4, use "about:config: to disable it.

US CERT: WebGL Security Risks
added May 10, 2011 at 11:35 am
US-CERT is aware of reports indicating that WebGL contains multiple significant security issues. The impact of these issues includes arbitrary code execution, denial of service, and cross-domain attacks. WebGL is a new web standard that is enabled by default in Firefox 4 and Google Chrome and is included in Safari.

US-CERT encourages users and administrators to review the Context report and disable WebGL to help mitigate the risks.
User-friendly (well, less user-hostile) write-up here:
Dangerous WebGL Flaw Puts Firefox and Chrome Users at Risk | PCWorld Business Center

Security researchers have discovered a dangerous vulnerability in WebGL--a Web standard used by Firefox and Chrome to deliver 3D graphics within the Web browser. The flaws may be exploited to enable an attacker to run malicious code on the system, and could expose sensitive data.


The issue with WebGL isn't a vulnerability per se, but a fundamental design flaw.What is the risk? WebGL enables Internet-based programs to access the graphics driver and graphics hardware--exposing low-level core functions of the system to possible malicious exploits. The graphics hardware and drivers are not developed with security in mind, and are built with an inherent trust that the code that can access that level of the system must be safe.

How to disable WebGL in Firefox 4
How to disable WebGL in Chrome

No comments: