WebGL flaws give hackers a new point of entry

The graphics technology, used in browsers like Firefox and Chrome, can be used to access the most protected parts of a PC

Security researchers at the U.K.'s Context Information Security have identified serious flaws in the WebGL graphics standard used by default in Firefox 4 and Google Chrome; they're also available in Apple's Safari browser. The researchers recommend disabling the technology, which helps generate 3D graphics on websites. The flaws could be used to open an attack vector on a PC's graphics drivers, which in turn open access to the OS kernel.

Context did not go into specifics on the vulnerabilities but said it had exploited them with proof-of-concept attacks. Most worrisome: The attacks take advantage of major architectural flaws to go straight to what is supposed to be the most secure part of an operating system.

"These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design," wrote Context security consultant James Forshaw. "Fundamentally, WebGL now allows full (Turing Complete) programs from the Internet to reach the graphics driver and graphics hardware, which operate in what is supposed to be the most protected part of the computer (Kernel Mode)."

Because WebGL is a browser-based technology, the vulnerabilities apply to Windows, Mac OS X, and Linux systems alike. Context has even gone so far as to argue that WebGL was not ready for mass distribution because of the severity of the security issues.

The graphics cards and drivers that interface with WebGL and similar technologies typically don't have much by way of security features as they are created with the assumption that they will be working with trusted apps in a secure environment. As such, it's crucial for Web technologies to provide proper security so that the susceptible graphics cards and drivers aren't exposed to attack. In light of these fundamental issues raised by the WebGL vulnerabilities, Web graphics standards may need to be redesigned from the ground up.

This article, "WebGL flaws give hackers a new point of entry," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.