Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Time to disable WebGL ? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Time to disable WebGL ?

WebGL ? I had never heard of WebGL before and I'm sure quite a few among our readers are in the same boat. Yet it is implemented in Firefox 4 and Chrome and Safari browsers and apparently even turned on by default in Firefox 4 and Chrome. Yet, there's something wrong with its security.

So what is WebGL?

It's a way to let components on webpages display 3D models using the full power of the graphics card in the computer. Effectively this exposes some portions of the graphics card's software via the browser to the Internet. 

US-CERT recommends to turn off WebGL in the browsers that do support it (Firefox 4, Chrome, Safari (not enabled by default))

I've looked on my mac how to enable/disable WebGL in Firefox 4, Chrome and Safari, but have been unsuccessful so far as to find even a mention of WebGL in any of them [to be continued...].

References and far more detail:

Thanks go to James for the heads-up.

--
Swa Frantzen -- Section 66

Swa

760 Posts
firefox - browse to "about:config" and enter "webgl" in the filter. Double-click on "webgl.disabled".
Hal

50 Posts Posts
Chrome on Mac ... chrome://plugins should have it listed, but its not there in v11.
@HackDefendr

65 Posts Posts
For Chrome here is a list of all the about:config like pages: hxxp://googlesystem.blogspot.com/2008/09/google-chromes-about-pages.html
@HackDefendr

65 Posts Posts
The same day as http://chrome.angrybirds.com comes out! Sheesh...
Anonymous

Posts
What is the big issue here ?
Code is executed on a GPU, which has limited access to the main computer.
It is many years ago, that Microsoft did do away with putting drivers in the outer ring for security. I think it was Windows 2000 or XP, they moved graphics drivers to kernel mode, to ensure all users could exploit vulnerabilities in the graphics drivers to do whatever they wanted.

BTW: If this is such a big issue, we also need instructions on how to disable the hardware acceleration of Flash, it is probably in the same league.
Povl H.

70 Posts Posts
I would be more worried about them using the general processing APIs like CUDA or STREAM to accelerate malware functions - whether that's local password cracking or whatever it opens up a massive amount of computing resources that the average user may not even notice is in use.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!