WebGL ? I had never heard of WebGL before and I'm sure quite a few among our readers are in the same boat. Yet it is implemented in Firefox 4, Chrome and Safari browsers and apparently even turned on by default in Firefox 4 and Chrome. Yet, there's something wrong with its security.

So what is WebGL?

It's a way to let components on webpages display 3D models using the full power of the graphics card in the computer. Effectively this exposes some portions of the graphics card's software via the browser to the Internet. 

US-CERT recommends to turn off WebGL in the browsers that do support it (Firefox 4, Chrome, Safari (not enabled by default))

I've looked on my mac how to enable/disable WebGL in Firefox 4, Chrome and Safari, but have been unsuccessful so far as to find even a mention of WebGL in any of them [see below].

References and far more detail:

• http://www.contextis.com/resources/blog/webgl/
• http://www.us-cert.gov/current/index.html#web_users_warned_to_turn
• http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/
• http://www.khronos.org/news/permalink/webgl-security

Thanks go to James for the heads-up.

Update: how to disable webgl in firefox 4.0.1:

Type about:config in the address bar. And toggle the webgl.disabled variable to true.
I can confirm this stops webgl from working on demo sites that explain how to use webgl such as http://www.webkit.org/blog-files/webgl/SpiritBox.html. Shows a spinning box if you have webgl, and a rectangle if you don't.

Update: how to disable webgl in chrome:

It needs the --disable-webgl argument on the command line

Update: we will from now on need to keep a much more careful eye on the security issues of graphic card drivers, and get these updated if and when they fix security issues.

Update: if you're using derived browsers from one of the affected browsers, it's a good idea to check if they support WebGL and then contact the makers in order to figure out how to disable it.

--
Swa Frantzen -- Section 66