Web users should turn off 3D graphics rendering in Firefox 4 and Google Chrome because of security flaws that would give attackers access to the machine’s hardware, security researchers said.
Security flaws in the WebGL 3D rendering engine in Firefox 4 and Google Chrome would allow browser content to access the machine’s graphics hardware, warned the US Computer Emergency Readiness Team (US-CERT) on May 11. WebGL is designed to display 3D graphics in browsers on any machine without requiring plug-ins, and is part of HTML5’s Canvas functionality. WebGL can be enabled in Apple’s Safari Web browser and is widely used in modern smartphones.
“The impact of these issues includes arbitrary code execution, DoS and cross-domain attacks,” noted the US-CERT warning.
Research consultancy Context Information Security discovered that attackers can exploit problems in the rendering tool to gain low-level access to graphics cards. If a user visited a site with a malicious WebGL script, the rogue code would upload a specified 3D code to the graphics card on the system to create a back-door for remote attackers, James Forshaw, a researcher at Context, wrote in a blog post.
One problem was that increasing use of WebGL in Web applications means more things have direct access to the actual graphics hardware. In contrast, the GPU’s actual functionality was not exposed to an external-facing Website under 2D graphic acceleration.
“The use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine,” Forshaw said.
Attackers can target unpatched graphics drivers with exploits to shut down a machine, to suck up power and effectively carrying out a “denial of service” attack, and to prevent the user from accessing the machine, according to Forshaw.
The Khronos Group, who maintain OpenGL and WebGL standards, said the WebGL working group has been working with GPU vendors to address security questions.