The Microsoft Security Response Center (MSRC) Engineering team has concluded that WebGL, the royalty free cross-platform API for browser-based 3D graphics, is "overly permissive," insecure, and potentially harmful to machines using it. Development of the technology was spearheaded by Mozilla, Google, Opera, AMD, and Nvidia, and was endorsed by the Khronos Group.
Based upon an MSRC Engineering review, and using two Context Information Security reports as supportive evidence, Microsoft said it cannot endorse the use of WebGL in its current form. In this statement they did leave the door open for support of a future version of the API.
Because the technology utilizes hardware acceleration, Microsoft believes that WebGL exposes much more of the end users computer system than previously, and could result in remote compromise. In addition, Microsoft says the security servicing model for video card drivers "is just not compatible with the needs of a security update process." This means when vulnerabilities are discovered in video cards, there isn't a simple security update that can be run because the driver rules differ from one piece of hardware to the next.
Finally, Microsoft says the technology opens the door for client-side attacks that operating systems just aren't prepared for. Context IS has built a number of proof of concept exploits over the last few months that show WebGL to be vulnerable to client side denial of service attacks. In short, it is possible to create shader programs with complex 3D geometry that end up consuming all of the client's GPU resources.
"Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS threat." MSRC Engineering said.
WebGL is currently available in Chrome and FIrefox. Opera has released the technology as a demo, but hasn't been put into an Opera release yet, but recently showed off its implementation of WebGL for gaming purposes.
If there is one thing that Microsoft knows well it is security holes in operating systems and device drivers. They have be heavily engaged in finding complex engineering solutions to solve some of the most difficult security compromises for more than 20 years. We should all listen to this warning.