[Updated, 4:00 p.m.] -- Microsoft has attacked the Khronos Group's WebGL, a cross-platform 3D graphics API for the web found in Firefox and Chrome, as being "harmful" and "not a technology ... (we) ... can endorse from a security perspective." Hostile websites could use WebGL to steal the contents of a user's screen or freeze or reboot systems at will, the company charges.

A June 16 blog posting by Microsoft's MSRC (Microsoft Security Response Center) Engineering team details why Microsoft has no current plans to support WebGL -- already featured in Firefox and Chrome browsers, including the Linux versions, along with development versions of Opera and Safari. The team writes, "We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."

The attack comes as a blow to the Khronos Group, the not-for-profit consortium that took over development of WebGL from the Mozilla Foundation and released version 1.0 earlier this year.

The group describes WebGL as "an immediate-mode 3D rendering API designed for the web. It is derived from OpenGL ES 2.0, and provides similar rendering functionality, but in an HTML context."

A basic WebGL demo
(Click to enlarge)

In other words, WebGL is a context of the Canvas HTML element that provides a 3D graphics API without the use of plug-ins. It potentially allows web browsers to deliver 3D graphics along the lines of a computer game.

But, Microsoft argues, because the technology gives websites direct access to low-level graphics hardware functionality, some bad things can be done with it. The company cites ongoing work by London-based Context Information Security, which related in a May blog posting that it had successfully created web pages that could crash people's machines via WebGL.

Capturing a user's graphics memory via WebGL
Source: Context Information Security
(Click to enlarge)

In a June 16 followup, Context said malicious websites could also use WebGL to capture the contents of graphics memory. As shown above, this would have the effect of stealing whatever data is being shown on a user's screen.

How stealing graphics memory works
Source: Context Information Security
(Click to enlarge)

Both Context and Microsoft note that vulnerabilities in WebGL will not always manifest themselves in the API itself, but will also crop up in specific web browsers or graphics drivers -- some of which are safer than others. Microsoft's posting notes, "Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience."

Context's June 16 posting "recommends that users and system administrators disable WebGL." For its part, Microsoft summarizes its key concerns as follows:

• Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
• Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
• Problematic system DoS scenarios

Microsoft's posting concludes, "We recognize the need to provide solutions in this space. However it is our goal that all such solutions are secure by design, secure by default, and secure in deployment."

Khronos responds 

Responding to the above allegations, Khronos spokesperson Jonathan Hirshon says the issue of theft of arbitrary windows on a desktop was due to a bug in Firefox's WebGL implementation, and cannot be generalized across other browsers' WebGL implementations. Moreover, he adds, that bug was addressed May 26 and is resolved in Firefox 5, slated for release June 21.

Meanwhile, the previously reported denial-of-service issues are likely still present, because browser vendors are still in the process of supporting the GL_ARB_robustness extension. "It is expected that the reported denial-of-service issues will be solved with the integration of this extension," Hirshon adds.

Summing up, Hirshon stated, "All browser vendors are still working toward passing the WebGL conformance suite. Only once they have successfully done so can they claim support of Canvas.getContext("webgl") instead of Canvas.getContext("experimental-webgl")."

Finally, Khronos points to a followup posting by Avi Bar-Zeev, described as a Principal Architect for Microsoft Research. On his personal RealityPrime blog, Bar-Zeev says he's disappointed in the MSRC posting, which "gives the impression that Microsoft runs away from security issues that require some modest technical mitigation."

Bar-Zeev adds, "WebGL will be running on my PC and yours, one way or another. Microsoft will need to deal with it. And more to the point, we can actually help make it much more robust if we engage instead of apparently running away."

In his posting, Bar-Zeev also notes that unlike browser plugins -- including the ActiveX controls pioneered by Microsoft's Internet Explorer -- WebGL doesn't allow extreme native access. "No disk writes, no main memory access, no CPU code apart from officially signed drivers -- a shader can really only affect your graphics hardware and screen."

Bar-Zeev concludes, "There is clearly only one direction forward for Microsoft and 3D on the web. WebGL is the way."

Further information

WebGL demos may be found on the Khronos website here.

Jonathan Angel can be reached at jonathan.angel@ziffdavisenterprise.com and followed at www.twitter.com/gadgetsense.

---

Related stories:

• Industry group furthers embedded multimedia standards
• AMD's embedded GPU supports OpenCL, six simultaneous displays
• 3D benchmarking software gains new UI tests

Discuss WebGL 3D API 'harmful', says Microsoft   Nvidia already released driver v.275.09.07 (for Linux) and it already features the... Microsoft can kiss my butt. After all, since Windows is so prone to every known... >>> Post your comment now!

>>> More News Articles          >>> More By Jonathan Angel