Wednesday, September 03, 2014
Search
  
Submit your own News for
inclusion in our Site.
Click here...
Breaking News
Apple Says ICloud Not Breached
webOS Is Still Alive With LuneOS ROM Release for Android, webOS Devices
AMD Launches AMD Radeon R9 285 Graphics, "Never Settle: Space Edition" Game Bundle
AMD Introduces New 8-core FX-series Processors
New Philips Hue Beyond Combines Functionality And Ambient Lighting for Home
LG and Samsung Add Swarovski Crystals on Their Products
Pioneer DDJ-WeGO3 Allows You To Mix Tracks from Spotify or iTunes
Apple's iCloud Could Have Allowed Celebrity Nude-Photo Leak
Active Discussions
help questions structure DVDR
Made video, won't play back easily
Questions durability monitor LCD
Questions fungus CD/DVD Media, Some expert engineer in optical media can help me?
CD, DVD and Blu-ray burning for Android in development
IBM supercharges Power servers with graphics chips
Werner Vogels: four cloud computing trends for 2014
Video editing software.
 Home > News > General Computing > Microso...
Last 7 Days News : SU MO TU WE TH FR SA All News

Friday, June 17, 2011
Microsoft Claims WebGL Is Harmful


The Khronos Group's WebGL technology is a cross-platform, a 3D graphics API for the web, supported by Chrome and Firefox browsers. Microsoft has analyzed the technology and concluded that it could be harmful and not safe.

Microsoft's MSRC Engineering team, which analyzes various technologies in order to understand how they can potentially affect Microsoft products, took a look at WebGL. Microsoft's analysis concluded that the company's products supporting WebGL would have difficulty passing Microsoft?s Security Development Lifecycle requirements.

Microsoft claims that browser support for WebGL directly exposes hardware functionality to the web in a way that it "overly permissive."

"The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern. We expect to see bugs that exist only on certain platforms or with certain video cards, potentially facilitating targeted attacks," Microsoft said.

Any uncovered WebGL vulnerabilities will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHV's. "While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities," Microsoft added.

Microsoft also believes that as configurations are blocked, increasing levels of customer disruption may occur. "Without an efficient security servicing model for video card drivers, users may either choose to override the protection in order to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled," the company said.

"Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers, as would be required for them to have a secure web experience. In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process."

Microsoft added that WebGL systems will be vulnerable to Denial-Of-Service (DoS) scenarios.

"Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigatinos such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat. While traditionally client-side DoS is not a high severity threat, if this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will. This is an issue for some important usage scenarios such as in critical infrastructure," the company said.

The company concluded saying that "WebGL will likely become an ongoing source of hard-to-fix vulnerabilities. In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."

WebGL, a technology which brings hardware-accelerated 3D graphics to the browser, has been supported by Google's Chrome and Mozilla's FireFox browsers. The technology allows users to experience 3D content right inside the browser with no need for additional software. Microsoft's Internet Explorer 9 does not support WebGL. The company supports its own, proprietary, Direct3D.


Previous
Next
Panasonic Introduces Ruggedized Toughbook Tablet        All News        LG Rolls Out OPTIMUS 3D Smartphone
Google Launches Personal Reputation Management Tool     General Computing News      GLOBALFOUNDRIES Appoints New CEO, Announces Investment Plan Through 2012

Get RSS feed Easy Print E-Mail this Message

Related News
China Gives Microsoft Deadline To Respond To Anti-trust Probe
China Probes Microsoft Over Web Browser And Media Player
FCC Filing Hints At a Microsoft Rival To Chromecast
Microsoft to Announce Windows 9 on September Event: report
Samsung, Microsoft Want To End Android Patent Dispute Soon
Sony, Huawei, Microsoft To Announce New Smartphones at 2014 IFA
Microsoft Releases 19-euro Music Phone
Microsoft Sues Samsung Over Royalty Payments
Microsoft Releases New Limited Edition Wireless Mobile Mouse 3500 With Master Chief from Halo
Microsoft Details Windows Phone 8.1 Update, Brings Cortana To New Markets
Microsoft Releases The Sharks Cove, A Raspberry Pi Alternative
China Starts Anti-monopoly Investigation On Microsoft

Most Popular News
 
Home | News | All News | Reviews | Articles | Guides | Download | Expert Area | Forum | Site Info
Site best viewed at 1024x768+ - CDRINFO.COM 1998-2014 - All rights reserved -
Privacy policy - Contact Us .