WebGL Poses New Security Problems

Julie188 writes "Researchers are warning that the WebGL standard undermines existing operating system security protections and offers up new attack surfaces. To enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system's graphics card. This can allow an attacker to exploit security vulnerabilities in the graphics card driver and even inject malicious code onto the system."

Re:WebGL was always a bad idea

[hairyfeet]

While this may be true, something has seriously been bothering me lately, maybe someone here at /. can explain...WTF is it with the obvious MSFT shills here lately? Did they get a deal on that HB Gary Fed software or something?

I just don't get it. I mean sure the WinPhone ain't doing so hot, but the X360 is a hit and fulfilled its stated goal to get MSFT out of the office and into the living room, Windows 7 frankly rocks, and this is from someone who hung onto Win2K and XP X64 because frankly I thought their consumer OSes were lame, and last numbers I saw had fully two thirds of new servers being sold with WinServer and WinSBS Server was racking up the numbers. So WTF? The obvious shilling now makes NO sense, and just turns folks off. So why do it?

As for TFA this is something else that I think deserves a WTF and that is JavaScript and the current way we are doing things. Sites like FB are twisting JScript in ways it was never designed and now that we are starting to make real process on killing drive bys with low rights mode and getting rid of those damned "hey lets run as admins!" XP boxes now everyone wants to run third party web code bare metal? WTF?

Maybe with all this Web 3.0 crud we really ought to think about starting over with a new design built from top to bottom with security in mind. Maybe something with multiple isolation layers and least permissions, because there ought to be some way other than NoScript or hoping everything will stay in the sandbox to make it so everyone can have their FB games and bling bling without going through another ActiveX mess all over again. Perhaps instead of calling content from all over the web just to render a single page only allow code to be kept in a "time out room" on the server serving the web pages in such a way that the browser can do malware scans before calling it?

I'm just a humble PC fixit guy, not a security expert so I can't give you the answers, only ask the questions. But it seems to me there ought to be a way to allow people to have things like hardware acceleration without just running everything or blocking everything. Sandboxes to me always felt like a band aid on a bullet wound, and we tell folks not to run untrusted .exe files they trip over yet we are supposed to trust all the ads and flash and everything else, often which isn't even controlled by the website admin? It just doesn't seem like the right way to be going about this. Am I crazy?