The Mozilla Security Blog announced yesterday that there is a security concern with WebGL in Mozilla Firefox 4. It could allow attackers to capture screenshots of a visitors browser, including private information.
The problem is specific to Firefox’s implementation of WebGL, not a vulnerability in WebGL itself. A fix will be included in the next update to Firefox, which is scheduled for Tuesday, June 21st. In the meantime, Mozilla recommends that users either update to the Firefox Beta or disable WebGL. To disable it, in Firefox 4’s address bar type about:config. Then type webgl in the filter line and toggle the webgl.disabled to true by double-clicking on the value.
Nine hours before Mozilla’s statement was published, Microsoft’s Security Research & Defense blog posted an article simply titled WebGL Considered Harmful. The article goes on to details three key concerns Microsoft has with WebGL and how they believe it will become a recurring source of hard-to-fix vulnerabilities. (ed. note: Yet, Adobe Flash and Reader…)
The full article goes into much greater detail so be sure to give it a read, but the bullet points of their concerns include:
- Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive
- Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience
- Problematic system DoS scenarios
In its current form, WebGL is not a technology Microsoft can endorse from a security perspective.
We recognize the need to provide solutions in this space however it is our goal that all such solutions are secure by design, secure by default, and secure in deployment.
Two strikes in one day against WebGL, will it last if opinion turns on it? The two articles on the same day are not coincidental. Context Information Security LTD published an article in May calling WebGL a new dimension for browser exploitation. In almost a self-fulfilling prophecy, ContextIS published an update yesterday which demoed further WebGL security flaws – including the screenshot capture exploit Mozilla is patching in Firefox 4.