Microsoft calls the graphics technology used in Firefox and Chrome dangerous
The unusually sharp statement made by Microsoft says that the WebGL graphics technology, promoted by the Khronos Group, is too dangerous to be supported in Windows.
Both Google Chrome and Mozilla Firefox browsers currently ship with WebGL support. Google calls this “the most powerful way to add 3D graphics to web pages,” and urges developers to “experiment in graphic design.” Mozilla is positioning WebGL as an ideal technology for "interactive 3D games, applications with rich graphics and the implementation of a new approach in visual design without the use of third-party plug-ins."
In turn, Microsoft published a statement entitled “ WebGL is considered harmful ” in the official blog of Microsoft Security Center. It was published by a group that is responsible for the security architecture of Windows and other Microsoft products.
The statement came after a couple of reports that describe “ serious design flaws ” and “ security issues ” in WebGL. The last message includes a demonstration of how user data can be stolen through a browser.
')
Microsoft instantly responded with a very tough statement:
The report argues that WebGL support in the browser is "a direct way to unveil hardware functionality on the web that is overly permissive." Graphics drivers can not be dependent on compliance with security rules and there is no working model for ensuring the security of video card drivers. Given the widespread attack with the use of vulnerabilities in third-party products (for example, Adobe Flash and Java-based applications), this causes legitimate concern from Microsoft.
Microsoft also claims that using WebGL allows you to implement a DoS attack script that will allow "any web site to suspend the system or even reload it at will."
In his message, Ari Bixhorn from the team of Internet Explorer, makes a direct attack against competitors:
In response to these attacks, the Khronos Group is trying to alleviate the security situation, arguing that browser developers are working to comply with WebGL security requirements and the demonstrated holes "are the result of an error in the WebGL implementation in Firefox." Reportedly, this bug is fixed in Firefox 5, the final version of which will be presented before the end of the month.
A Khronos Group spokesman declined to respond to the Microsoft report, but noted that Mozilla, Firefox, and Opera fully support WebGL, and Apple announced limited WebGL support in iOS 5.
A Google spokesman said the company does not consider WebGL a significant threat to its users. Most of the WebGL stack, including GPU processors, “runs in a separate process and is isolated in Chrome to prevent various types of attacks,” the spokesman said. Google claims that it will be able to withstand attacks at a lower level, working with suppliers of hardware, operating systems and drivers, disabling WebGL on those configurations that will be considered unsafe.
Both Google Chrome and Mozilla Firefox browsers currently ship with WebGL support. Google calls this “the most powerful way to add 3D graphics to web pages,” and urges developers to “experiment in graphic design.” Mozilla is positioning WebGL as an ideal technology for "interactive 3D games, applications with rich graphics and the implementation of a new approach in visual design without the use of third-party plug-ins."
In turn, Microsoft published a statement entitled “ WebGL is considered harmful ” in the official blog of Microsoft Security Center. It was published by a group that is responsible for the security architecture of Windows and other Microsoft products.
The statement came after a couple of reports that describe “ serious design flaws ” and “ security issues ” in WebGL. The last message includes a demonstration of how user data can be stolen through a browser.
')
Microsoft instantly responded with a very tough statement:
One of the functions of Microsoft Security Center is the analysis of various technologies, which allows you to understand how this or that technology can directly affect Microsoft or its customers. As an element of this strategy, we recently looked at WebGL. The analysis led to the conclusion that Microsoft products that support WebGL are unlikely to meet the requirements of the secure software development process .
[...]
We believe that WebGL will become a source of vulnerabilities that will be difficult to fix. In its current state, WebGL is not a technology that Microsoft can support in terms of security.
The report argues that WebGL support in the browser is "a direct way to unveil hardware functionality on the web that is overly permissive." Graphics drivers can not be dependent on compliance with security rules and there is no working model for ensuring the security of video card drivers. Given the widespread attack with the use of vulnerabilities in third-party products (for example, Adobe Flash and Java-based applications), this causes legitimate concern from Microsoft.
Microsoft also claims that using WebGL allows you to implement a DoS attack script that will allow "any web site to suspend the system or even reload it at will."
In his message, Ari Bixhorn from the team of Internet Explorer, makes a direct attack against competitors:
Users should understand that the security of their computers is questionable when they access the Internet using Google Chrome and Firefox. Because these browsers support WebGL technology, sites that spread malware get access to the most secure parts of the computer. With security holes like this, it becomes clear that WebGL is not ready to become a standard, and therefore users should not use such browsers. Therefore, Microsoft Security Center recommended refraining from using WebGL in Microsoft products, such as Internet Explorer.
In response to these attacks, the Khronos Group is trying to alleviate the security situation, arguing that browser developers are working to comply with WebGL security requirements and the demonstrated holes "are the result of an error in the WebGL implementation in Firefox." Reportedly, this bug is fixed in Firefox 5, the final version of which will be presented before the end of the month.
A Khronos Group spokesman declined to respond to the Microsoft report, but noted that Mozilla, Firefox, and Opera fully support WebGL, and Apple announced limited WebGL support in iOS 5.
A Google spokesman said the company does not consider WebGL a significant threat to its users. Most of the WebGL stack, including GPU processors, “runs in a separate process and is isolated in Chrome to prevent various types of attacks,” the spokesman said. Google claims that it will be able to withstand attacks at a lower level, working with suppliers of hardware, operating systems and drivers, disabling WebGL on those configurations that will be considered unsafe.
Source: https://habr.com/ru/post/122126/
All Articles