US-CERT alerts on WebGL risks as Khronos Group plays down security issues

The US Computer Emergency Readiness Team (US-CERT) has added its voice to a warning from an IT consultancy of significant security issues in the new WebGL standard, recommending that web users disable the functionality to mitigate risks.

Context Information Security argued in a detailed blog post that the web standard, which was designed to enable 3D graphics on any computer with a compatible browser, is dangerous because it allows browser content to almost directly access a PC's graphics hardware.

As such, it could allow hackers to launch denial-of-service (DoS) attacks by creating "shader programs", or drawing deliberately complex 3D geometry which causes the GPU hardware to spend a long time rendering.

In addition, it may allow for cross-domain image theft attacks, according to Context Information Security.

US-CERT was quick to pick up on the potential seriousness of the discovery, given that Firefox 4 and Google Chrome have the functionality enabled by default.

"The impact of these issues includes arbitrary code execution, DoS and cross-domain attacks. WebGL is a new web standard that is enabled by default in Firefox 4 and Google Chrome and is included in Safari," noted the US-CERT warning.

"US-CERT encourages users and administrators to review the Context report and disable WebGL to help mitigate the risks."

Industry consortium the Khronos Group, which looks after the WebGL standard, responded to the allegations by saying that it had been working closely with GPU vendors on additional security functionality.

"The Khronos Group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent DoS and out-of-range memory access attacks from WebGL content," it said.

"GL_ARB_robustness has already been deployed by some GPU vendors, and Khronos expects it to be deployed rapidly by others. Browsers can check for the presence of this extension before enabling WebGL content. This is likely to become the deployment mode for WebGL in the near future."

Addressing the cross-domain image theft issue, the group said that it is considering requiring "Cross Origin Resource Sharing opt-in or other mechanisms to prevent abuse of this capability".