WebGL Poses New Security Problems

← Back to Stories (view on slashdot.org)

WebGL Poses New Security Problems

Posted by CmdrTaco on Tuesday May 10, 2011 @07:45AM from the but-this-time-its-in-three-dee dept.

Julie188 writes "Researchers are warning that the WebGL standard undermines existing operating system security protections and offers up new attack surfaces. To enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system's graphics card. This can allow an attacker to exploit security vulnerabilities in the graphics card driver and even inject malicious code onto the system."

6 of 178 comments (clear)

Min score:

Reason:

Sort:

WebGL was always a bad idea by Anonymous Coward · 2011-05-10 07:45 · Score: 2, Insightful

Now that we finally have sandboxing in browsers they want to let any website run directly code on your hardware. Insane! Just forget the WebGL stuff. Silverlight has direct support for XNA which handles it everything better and safer anyway. Are we also supposed to write WebGL games with notepad? At least XNA games can be written with a solid IDE like Visual Studio. Not only that but the games also work on Xbox360 and mobile phones without such a major porting. What a developers dream...

Leave my hardware alone and secure!
1. Re:WebGL was always a bad idea by Anonymous Coward · 2011-05-10 07:57 · Score: 1, Insightful
  
  Silverlight has direct support for XNA
  [snip]
  a solid IDE like Visual Studio.
  [snip]
  Not only that but the games also work on Xbox360 and mobile phones
  [snip]
  Leave my hardware alone and secure!
  Translation: "WebGL is insecure! Use Microsoft products instead!"
  Sorry, I need to stop laughing hysterically before I can post any more.
Re:Glad I'm not using Binary Blob drivers by MrEricSir · 2011-05-10 07:55 · Score: 3, Insightful

Do any FOSS drivers even support shaders?

--
There's no -1 for "I don't get it."
I don't get it by multi+io · 2011-05-10 08:01 · Score: 1, Insightful

So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver? How's that different from saying that enabling Javascript code execution allows web sites to exploit hypothetical vulnerabilities in the Javascript interpreter?
1. Re:I don't get it by amorsen · 2011-05-10 08:41 · Score: 3, Insightful
  
  So they're saying that enabling shader code execution allows web sites to exploit hypothetical vulnerabilities in the graphics driver?
  They're not particularly hypothetical. Graphics driver code is such that games programmers carefully work around bugs in order to not crash anything. Imagine if every program running on the main CPU had to carefully avoid certain instruction sequences in order to not crash the system -- would you run a multi-user system on that?
  Then again, that was how it was in the 80's on many time sharing systems...
  
  --
  Finally! A year of moderation! Ready for 2019?
I can't wait for Native Client! by Anonymous Coward · 2011-05-10 08:22 · Score: 5, Insightful

Can anyone remind me why we're putting EVERYTHING in a web browser anyway?