back to article New graphics engine imperils users of Firefox and Chrome

The US Computer Emergency Readiness Team is advising users of the Mozilla Firefox and Google Chrome browsers to disable a recently added graphics engine that can be exploited to steal data or crash end user computers. The web standard known as WebGL opens the browsers to serious attacks, including the theft of images or denial- …


This topic is closed for new posts.
  1. Combat Wombat
    Black Helicopters


    For a change MS isn't the one one with the Paris Hilton sized holes.

    My FUD meter is going off though... until I see actual reports on the details of this.. I think I'll just keep on using it.

    1. sabroni Silver badge
      Thumb Up

      good plan,,,

      ,,,otherwise how can you browse all those 3d websites?!

    2. Anonymous Coward

      Seems legit.....

      A random company appears and says there is a non-specific but nevertheless major security flaw in a very marketable feature supported by all the major players except Microsoft?

      The needle on my FUD gauge is buried in the red, the glass has cracked and there is an ominous rumbling coming from the bullshit storage tanks....

      1. Anonymous Coward
        Anonymous Coward

        re: Seems legit.....

        Step away from the tinfoil hat. If CERT are going along with the advice, it's a good idea to at least consider it, rather than indulging in kneejerkery.

        Given that you're missing nothing other than some horrid browser demos (which run like crap on a quad core machine wtih a Geforce 580), it seems like a small price to pay. It certainly won't give anyone much of an advantage right now.

      2. sabroni Silver badge

        A random company appears?

        From their website: US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS). It is a public-private partnership.

        So where is the bullshit that's filling your tank coming from?

        1. Anonymous Coward
          Anonymous Coward

          I re-read the story and the knee-jerks have subsided a bit.

          But only a bit :p

          'Context Information Security' would be the 'random' company.

          Reading Context's report it appears that their grievance with WebGL is that it offers direct access to the GPU, which may have buggy or insecure drivers. So it is not WebGL that is the problem, it is just that it opens the possibility of underlying problems being exploited.

          CERT's agreement or not, there is something about an 'independent research consultancy' making sweeping recommendations based on 'limited research' and arguably blaming the wrong link in the chain that screams 'FUD'.

  2. Anonymous Coward
    Anonymous Coward


    The article seems to imply that Opera is also vulnerable (at least to some extent). Any instructions for disabling it in Opera?

    1. Alex Wells

      Not at risk

      "Neither WebGL nor hardware acceleration will be included in the upcoming release of Opera 11.10 for desktop." - from this post.

    2. Anonymous Coward
      Anonymous Coward

      Not in Opera

      until 11.50:

      You're safe.

    3. Anonymous Coward

      Unashamed, Barefaced Troll

      I think you'll find that nobody here uses Opera.

      1. cordwainer 1


        Naturally. Or has a Discover Card either.

  3. Raumkraut

    Targetting the wrong people

    This has nothing to do with browser vulnerabilities. AFAICT the browsers are just passing OpenGL instructions to the graphics card.

    This has _everything_ to do with graphics driver vulnerabilities. I'm sure anyone who's made graphically-intensive software (eg. games), or just tried to run them on their computer, can tell you that graphics card drivers can be some of the quirkiest, buggiest, unstable blobs of code on the machine. And these are Windows systems we're talking about!

    That's not to say the browser makers should ignore this issue completely, but sometimes you just need to steam ahead, in order to force the moose to get off the track.

    1. Ben Liddicott

      Yeah, that's right! Those people need to get off the track!

      Running them over will teach the others.

      Seriously, you are suggesting that the most beneficial possible thing for users will be to convert a local privilege escalation vulnerability into a remote execution vulnerability?

      Fantastic idea. Not.

  4. nichomach

    Whilst I'm perfectly capable...

    ...of finding "disable.webgl" in about:config, it might be nice if they actually included (in either advisory) instructions - well done, El Reg, on noting their absence. All very well telling everyone the sky's falling; telling them where to find the umbrella would also be good....

    1. Anonymous Coward
      Anonymous Coward

      what's in a name

      > Whilst I'm perfectly capable of finding "disable.webgl"

      me too, except that in my FF4.x it seems to be called "webgl.disabled" ?

      1. nichomach

        OK, you're annoying, but...

        ...thumbs up anyway for correcting the minor error, since that MIGHT be helpful to someone looking for it.

  5. Magnus_Pym

    Agian with the FUD-ometer

    One just cannot take USA based science seriously. Especially in areas where big business operates.Too many eminent people have compromised themselves for the corporate Dollar. This could be genuine or it could be Microsoft backed FUD. There is no way of knowing.

  6. kissingthecarpet

    As far as I can tell

    Nvidia & ATI Catalyst drivers have GL_ARB robustness available(I think Nvidia invented it, or contributed the code anyway).

  7. Ben Liddicott

    Told you so.

    Voted down for it too:

  8. Robert Carnegie Silver badge

    indicates that only a "preview build" using WebGL has been released for Opera, not the standard edition browser.*

    only finds one mention of WebGL in Opera's newsgroups, but

    has more. But that still seems to be the position: WebGL planned for Opera 11.50 or thereabouts, currently under development; but, once they hear about this, perhaps not.

  9. DrXym

    "Safe for script"

    This GL_ARB_robustness extension just sounds like a hack, a bit like the alleged "safe for scripting" bit that MS used to allow ActiveX controls to set if they wanted to run in a browser. What does it even mean on the backend? Are NVidia / AMD really going to sanity test every single value coming through their OpenGL implementations? I'm not sure how you could ever be certain that a card is safe from hacks given the multitude of ways they could be abused.


    That said, the same is probably true of regular 2D canvas operations too. If Firefox or any other browser ultimately uses hardware acceleration its quite possible that a bug in the impl could make the entire machine vulnerable in some way.

  10. Joe Montana

    Hardware accel

    How exactly is WebGL different from regular 2D operations?

    Both provide access to video hardware, and both could be used to exploit bugs in the video drivers. The fact that one is for drawing 2D, and the other for drawing 3D is largely irrelevant. If you want to be "safe" against such attacks, disable all hardware acceleration and have your browser render into a dumb framebuffer (note, this will be very slow).

    1. Oninoshiko


      Generally, with 2d you are, in effect, manipulating a framebuffer. normally the OS would provide you some primitives (which it can sanity check) or a framebuffer ("Canvas" if you prefer) and not actually provide you with direct access to the hardware. (at least insofar as what is provided to a web browser is concerned)

      With 3D, OTOH performance becomes a much larger issue. We generally offload that to a GPU, shaders get written to run on GPUs. Because we pass the code to the GPU, to run directly on on the concern that it could be used as an attack vector to a system is solid one. For example, something like a shader which gets random chunks of memory looking for private keys. The OS is not designed (can it even be?) to protect against a processor on a compromised peripheral as an attack vector. It basicly allows anyone to do a "drive-by hacking" using, essentially, the same attack vector as the usb-dma vector.

  11. Gilgamesh

    I miss the days

    ... when a browser was for viewing HTML and images on the internet.

    No ActiveX Sliverlight H.264 Flashy animated crapola.

    Just text and images. And fewer exploits.

    See also: phones that just do phone calls and SMS.

    1. Robert Carnegie Silver badge

      Fewer exploits, yes, but

      search up "malicious JPG".

      (If using Google, do it without image previews.)

    2. Gleb
      Thumb Down

      Missing some dates...

      When was this exactly? In the "everything is open" 90s? The flash-heavy 00s? The security through obscurity and "password"-password 80s?

      1. Ken Hagan Gold badge

        Re: Missing some dates

        That would have been this morning, on my Flash/Java/ActiveX/Silverlight-free browser that works perfectly on all the parts of the web that are worth going to.

        1. Anonymous Coward
          Anonymous Coward

          Ah yes

          No true Scotsman requires Javascript or Flash.

    3. galbak

      text mode browsing

      Still works today, Text browsers, are available for all versions of windows, or better, naturaly for linux boxes, but ported to the lesser window boxes.

      Ok, you loose the snazzy banners, pop-ups, bloat, but you can still get the basic information on the page.

  12. peyton?

    WebGL eh?

    That's one of those things that lets me avoid flash, right?

    I'll take my chances.

  13. R.E.H.

    The title is required, and must contain letters and/or digits.

    What bothers me about this article is not the vulnerabilities themselves. Yes, graphics drivers are buggy, any most likely exploitable through GLES and GLSL if you're not careful. This is bad.

    What bothers me is that it is being painted as an end-of-the-line, unfixable problem for WebGL. It's not. Browsers could add sanity checking to values passing through the WebGL layer. GLSL shaders could be sanitized. It'll hurt performance a bit, but what are you going to do? Hell, Google Chrome on Windows is already passing the OpenGL commands through a translator (ANGLE) to translate them to DirectX (and therefore is translating GLSL to HLSL) to bypass the dodgy OpenGL situation on Windows, so I see little reason why sanitization cannot be added to this as well. Similar should be possible for any browser, though Google may have a head start due to ANGLE.

    I'm not saying this will be easy, but I really don't see why it's painted as being so very impossible. Hell, Google wrote a sandboxing architecture to allow x86 code to run safely from the web. This should be doable.

    1. Robert Carnegie Silver badge

      Sanitisation isn't a solution, because

      If we're saying that video drivers and GPU hardware are buggy and can allow arbitrary execution of code on a PC (are we?), then even "sane" input values may lead to erroneous behaviour. To race conditions. To data corruption and bad code execution, in ways where we don't yet know that there's a problem.

      Having said that, non-sane inputs are more likely to lead to fun misbehaviour of your PC.

  14. ben_myers

    Scare tactics? Is Micro$oft behind this?

    Without any sort of statement as to which manufacturers, GPUs, and graphics interfaces (PCI-E or AGP) are vulnerable, this statement by CERT becomes a scare tactic. There is also nothing to tell us when and where WebGL is used by which types of rendering, other than some sort of 3-D.

    If I do not view any 3-D objects in my Firefox brower, is my system still vulnerable?

    Too damned many unanswered questions here. CERT, go back to the drawing board and give us a statement with some meat... Ben Myers

  15. kain preacher

    Funny people in here

    CERT issues a warning against FF but it must be FUD they must be a MS shill. CERT turns around and says that active X on SCADA systems is a danger and not a peep. So it's not that you folks don't believe CERT you just will only believe things when it's against MS but if it's against OSS it's fud 100% of the time .

This topic is closed for new posts.

Other stories you might like