Browsers - WebGL Flaw Exposes GPU to DoS, Remote Code Executin Attacks - eWeek Security Watch
Security Watch
SHARE
Facebook X Pinterest WhatsApp

WebGL Flaw Exposes GPU to DoS, Remote Code Executin Attacks

Written By
Fahmida Y. Rashid
Fahmida Y. Rashid
May 11, 2011
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Web users should turn off 3D graphics rendering in Firefox 4 and Google Chrome because of security flaws that would give attackers access to the machine’s hardware, security researchers said.

Security flaws in the WebGL 3D rendering engine in Firefox 4 and Google Chrome would allow browser content to access the machine’s graphics hardware, warned the US Computer Emergency Readiness Team (US-CERT) on May 11. WebGL is designed to display 3D graphics in browsers on any machine without requiring plug-ins, and is part of HTML5’s Canvas functionality. WebGL can be enabled in Apple’s Safari Web browser and is widely used in modern smartphones.

“The impact of these issues includes arbitrary code execution, DoS and cross-domain attacks,” noted the US-CERT warning.

Research consultancy Context Information Security discovered that attackers can exploit problems in the rendering tool to gain low-level access to graphics cards. If a user visited a site with a malicious WebGL script, the rogue code would upload a specified 3D code to the graphics card on the system to create a back-door for remote attackers, James Forshaw, a researcher at Context, wrote in a blog post.

One problem was that increasing use of WebGL in Web applications means more things have direct access to the actual graphics hardware. In contrast, the GPU’s actual functionality was not exposed to an external-facing Website under 2D graphic acceleration.

“The use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine,” Forshaw said.

Attackers can target unpatched graphics drivers with exploits to shut down a machine, to suck up power and effectively carrying out a “denial of service” attack, and to prevent the user from accessing the machine, according to Forshaw.

The Khronos Group, who maintain OpenGL and WebGL standards, said the WebGL working group has been working with GPU vendors to address security questions.
Fahmida Y. Rashid
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information