Microsoft abandons WebGL plans due to security concerns

If you were counting on WebGL support in upcoming versions of Internet Explorer, you're out of luck for now. Microsoft made the decision to not support WebGL in its current form due to serious security concerns. WebGL, an emerging graphics API from the Khronos Group, is supported and enabled by default in Firefox and Chrome, can be turned on in Safari, and available in an experimental build of Opera.

In a blog post on Microsoft's Security Research and Defense blog, Microsoft identified three key issues that prevent products containing WebGL from passing Microsoft's Security Development Lifecycle requirements. These concerns were similar to those raised last month by Context Information Security.

  • The implementation of browsers supporting WebGL depends on drivers provided by the manufacturers of graphics hardware. Turing-complete code is fed directly to these drivers, which can trigger an attack on the GPU if attackers exploit the drivers, which reside on the kernel level.
  • Security issues that are identified in WebGL have to be delivered by the various OEM and system components manufacturers. Coordinating a vulnerability fix from various third parties is difficult, in comparison to a single effective security-servicing model such as Windows Update or built-in updating mechanisms provided by browsers. Blocking vulnerable configurations is also not an option as according to Microsoft, users may choose to remove the block and stick with a vulnerable setup.
  • There are security mechanisms in modern processors and in software to stop attacks on the system. However, no such consideration is made yet for graphics processors. Thus, it can be a trivial task for sites to trigger system freezes or reboots at will simply by compromising GPUs.

Image Credit: Context Information Security

Update: Firefox 5 will have WebGL disabled by default, according to this Mozilla Security post.

Report a problem with article
Previous Story

Rumor: What is Facebook's Project Spartan?

Next Story

Rumor: Apple to hold off MacBook Air release

73 Comments

Commenting is disabled on this article.

What Microsoft is saying, is exactly what security experts have petitioned more information about and tried to get some controls on securing WebGL from hardware, all with a non-response from the WebGL khronos group.

Shader code and other other portions of OpenGL that WebGL opens up are NOT managed or secured in anyway. It was NOT designed with any security considerations, in a way to deal with security, nor should it be, as OpenGL is a hardware access API layer.

The answer is not to use WebGL, but instead to use a higher 'manged' technology that uses OpenGL or DirectX. This creates a broker of security between the hardware, as the Internet should never have 'secure to hardware' or local access security.

For example, HTML5, CSS3, SVG, or other higher level access methods that are both 'brokered' from the hardware, but as Microsoft has DEMONSTRATED with IE9, can be accelerated to OpenGL speeds.

Because people are too stupid to realize that direct access to a GPU and VRAM is just as dangerous to a CPU and system RAM, does not mitigate the threat WebGL could cause. If you really want any web site to have unfettered access to your GPU, you will get what you deserve.

Microsoft is not the first people to shout from the roof tops how freaking dangerous this is, and Microsoft was even trying to find a way to 'contain' WebGL, but due to the nature of 'shader code' alone, it is not feasible.

This is not about Microsoft wanting to control anything, this is about Microsoft telling the world that they learned their lesson with ActiveX and they do not want to see the rest of the world repeat the same insanity.

If people use WebGL and it gets any 'grip' on marketshare, it will make the ActiveX days of exploits and attacks look like childs play.


There is a way to achieve what WebGL is doing through secure methods. The first good example is any of the complex graphical HTML5/CSS3 examples at IETestDrive, as they show that IE9 can run this 'higher' level page language at OpenGL speeds. (This is why IE9 is 10-1000x faster than Chrome, Firefox, etc depending on the CPU speed in the test machine, as IE9 does slip all this rendering to the GPU without compromising security.)

Go look up WP7 Mango with IE9 running GPU accelerated running tests like these faster than native OpenGL ES applications on Android or iOS.

As we move to a mobile world, doing more on the GPU as IE9 is demonstrating is exactly what the world needs to be doing, and not offering up our GPUs up to a direct access from external sources.


Microsoft has other technology that they could be shoving if it was their intent on 'control', for example, XNA is a managed technology that could be modified to do what WebGL is doing, and in a very safe way of keeping the GPU out of the hands of web sites and hackers.

However, they are not shoving XNA here, they are instead wanting to use the W3C standards, like everyone has complained that they didn't do properly in the past.

And yet this is now not good enough for people, as they want Microsoft to adopt a BAD concept for direct GPU access with no security.

It is this simple, Microsoft is running graphics in IE9 as fast as Chrome and others are running WebGL, which is how and why Google did their 'response to Microsoft Fish' by using WebGL.

Instead of using 'tricks' to get the speed, Google and others should be moving their browser engine from an internet display application to more of a compiler and rendering engine like IE9 works.

Unlike Chrome and Firefox, IE9 breaks all aspects of HTTP and web content apart, tries to compile what it can and also shoves what it can to the GPU for rendering. This is more of a compiler technology than a 'display application', which for some reason the world doesn't seem to fully 'get' yet, and in a year or two when IE is crushing the competition when running RIA and web graphics using the W3C standards, everyone will be surprised.

Why do people completely 'miss' the technologies that Microsoft does create and then get 'surprised' when they are finally realized or used in products?

PS: Microsoft does know GPUs better than people think, as they designed the VS/PS GPU design and the shader code and shader language that came from that time, and was used in every GPU made from 2002 to 2006. Microsoft also designed the Unified shader GPU technology that is used in every computer today. (So if they say this is a security concern, we should listen, as all our GPUs we are using are based on Microsoft technolgy and Microsoft hardware designs.)

Surprise Surprise. Next Microsoft will release their own proprietary WebDirectX lol. History repeats itself once again.

Flawed said,
Surprise Surprise. Next Microsoft will release their own proprietary WebDirectX lol. History repeats itself once again.

Exactly, but the technology they are pushing is called HTML5 and other W3C standards.

Just becaue Google and others won't redesign their browsers to render web content as fast as IE9 can, we are just supposed to accept this and adopt a technology that has direct hardware access?

Really?

thenetavenger said,

Exactly, but the technology they are pushing is called HTML5 and other W3C standards.

Just becaue Google and others won't redesign their browsers to render web content as fast as IE9 can, we are just supposed to accept this and adopt a technology that has direct hardware access?

Really?


IE9 does 2D composition in hardware, not 3D acceleration.

Summary:

-The vast majority of people with any dev experience whatsoever approve of this move by Microsoft.

-Whiny kiddies who think they know a bit from a nibble, when they aren't lurking on 4chan and commenting YouTube videos, hate on Microsoft for it.

How is it 9/10 criticisms directed at Microsoft these days sound like they're being made by morons?

Go decision by MS.

But the word abandons should not be used as MS never really planned to support WebGL.

I agree with Microsoft's assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.

So, what's the difference between WebGL and a normal Direct3D app?

User mode App --> User mode D3D --> Kernel mode drivers

It would seem that MS fears the development of OpenGL drivers in all platforms. Or maybe this has something to do with the recent MS workers upset with silverlight possibly having no future?

Don't get me wrong, it is my opinion that D3D API is much superior to OpenGL's, but blaming this on security is just wrong... It would be IE's job to upload the WebGL commands upstream, so it could very well check for buffer bounds and so on... I guess next microsoft will stop developing windows because it's possible a end user might use it for deleting someone's files.

hmmm...

Kam1kaz3 said,
So, what's the difference between WebGL and a normal Direct3D app?

User mode App --> User mode D3D --> Kernel mode drivers

It would seem that MS fears the development of OpenGL drivers in all platforms. Or maybe this has something to do with the recent MS workers upset with silverlight possibly having no future?

Don't get me wrong, it is my opinion that D3D API is much superior to OpenGL's, but blaming this on security is just wrong... It would be IE's job to upload the WebGL commands upstream, so it could very well check for buffer bounds and so on... I guess next microsoft will stop developing windows because it's possible a end user might use it for deleting someone's files.

hmmm...

a normal direct3d app isn't loaded by a webpage without the user knowing something. And denying the problems that are in WebGL (by design) is ignorant.

I don't know about you, but I never seen anything WebGL on the internet. So, kill it for the same of de-bloating modern browsers.

Udedenkz said,
I don't know about you, but I never seen anything WebGL on the internet. So, kill it for the same of de-bloating modern browsers.

http://nitrous.labs.autodesk.com
what about this? using WebGL to view your 3D models online, without using any specialized software/viewer, just your WebGL enabled browser.

Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

Gaara sama said,
Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

If there's a security issue with it, how exactly is that Microsoft's fault when it's designed by somebody else?

Gaara sama said,
But MS allow the 3 party of software to be use on IE so is M$ fault

Riiiiiight, so Microsoft should disallow anyone from developing software now? So they're wrong if they make it insecure, and they're wrong if they try to make it more secure, and they're wrong even if they didn't write the software in question. Makes perfect sense. Extra points for the dollar sign by the way.

Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

But MS allow the 3 party of software to be use on IE so is M$ fault

Hey, listen to yourself buddy. Its Microsoft's fault for not including flawed software, but it is also Microsoft's fault for trying to use WebGl in the first place? That doesn't make any sense.

Then why is Flash supported.. It has tons of security flaws.. If anyone here thinks that Silverlight5 has no security issues. Please.. All Microsoft is doing here is spreading FUD!

Flash is supported because a ton of sites actually use it. Silverlight is supported because Microsoft built the thing and its their browser. Don't like it then don't use it, easy.

They are indirectly telling us that they are building a new graphics library platform, maybe we could use .NET langs. in building games on that platform...

burhan9k said,
They are indirectly telling us that they are building a new graphics library platform, maybe we could use .NET langs. in building games on that platform...

Did I miss something or how you come to that conclusion?

damn you ATI/NV why leave Graphic chip exposed?

oh i see now so now you can sell few more million with marketed as
"ATI 79xx/NV 68x secure edtion!"

Lastwebpage said,
In my opinion the question is not why MS block WebGL, the question is why the other companies not recognize this problems.

Maybe because companies like Mozilla and Google don't give a **** about the security of the underlying OS…?

MFH said,

Maybe because companies like Mozilla and Google don't give a **** about the security of the underlying OS…?

Doesn't Google reject D2D on the same premises?

MFH said,

Maybe because companies like Mozilla and Google don't give a **** about the security of the underlying OS…?

Actually, as pointed out above, Mozilla disabled it for Firefox 5.

And rightly so . WebGL should be scrapped and re-written.

WebGL - A New Dimension for Browser Exploitation

A number of serious security issues have been identified with the specification and implementations of WebGL.
These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
Additionally, there are other dangers with WebGL that put users' data, privacy and security at risk.
These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
Browsers that enable WebGL by default put their users at risk to these issues.......

http://www.neowin.net/forum/to...romsearch__1#entry593977462

alexalex said,
And rightly so . WebGL should be scrapped and re-written.

WebGL - A New Dimension for Browser Exploitation

A number of serious security issues have been identified with the specification and implementations of WebGL.
These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
Additionally, there are other dangers with WebGL that put users' data, privacy and security at risk.
These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
Browsers that enable WebGL by default put their users at risk to these issues.......

http://www.neowin.net/forum/to...romsearch__1#entry593977462

+1

Good decision by Microsoft. People who don't know what updates are about, or how computers work, that are simply online with Internet Explorer shouldn't be at risk simply because it's new technoligy. The standard should be updated first to be secure before the mass should be using it. And sure, firefox / chrome might use it already, but those people who installed it are probably more aware of updates and risks.

And like Microsoft said earlier. You can better walk a little behind, and give developers just one version to work on, rather then 10 versions like chrome, followed by a decision that the standard would be removed in a later version.

And even if silverlight might do the trick, it's very low to think that this is Microsoft pretending so Silverlight get's more attention. Many people hate flash, silverlight is the solution to that problem imo.

Peter van Dam said,
Good decision by Microsoft. People who don't know what updates are about, or how computers work, that are simply online with Internet Explorer shouldn't be at risk simply because it's new technoligy. The standard should be updated first to be secure before the mass should be using it. And sure, firefox / chrome might use it already, but those people who installed it are probably more aware of updates and risks.

And like Microsoft said earlier. You can better walk a little behind, and give developers just one version to work on, rather then 10 versions like chrome, followed by a decision that the standard would be removed in a later version.

And even if silverlight might do the trick, it's very low to think that this is Microsoft pretending so Silverlight get's more attention. Many people hate flash, silverlight is the solution to that problem imo.

1+

Flash should burn to ashes. The only reason flash still exists is because of Youtube and Google'd never use MS Silverlight even knowing is 10x better than flash.

Peter van Dam said,
Good decision by Microsoft. People who don't know what updates are about, or how computers work, that are simply online with Internet Explorer shouldn't be at risk simply because it's new technoligy. The standard should be updated first to be secure before the mass should be using it. And sure, firefox / chrome might use it already, but those people who installed it are probably more aware of updates and risks.

And like Microsoft said earlier. You can better walk a little behind, and give developers just one version to work on, rather then 10 versions like chrome, followed by a decision that the standard would be removed in a later version.

And even if silverlight might do the trick, it's very low to think that this is Microsoft pretending so Silverlight get's more attention. Many people hate flash, silverlight is the solution to that problem imo.

1+

Flash should burn to ashes. The only reason flash still exists is because of Youtube and Google'd never use MS Silverlight even knowing is 10x better than flash.

Peter van Dam said,
Many people hate flash, silverlight is the solution to that problem imo.
The reason I dislike flash is because it's a proprietary plug-in written by a third party company, with poor support on non-Windows operating systems and quirks in some browsers.

Silverlight solves none of those problems, and is less browser-compatible (I don't think they officially support Chrome on OS X yet).

Simon said,
I don't think they officially support Chrome on OS X yet

Now who uses Chrome on OSX? Steve gives you a magical browser called Safari, it's how he intends the internet to be experienced… ^^

CarlDilone said,
Flash should burn to ashes. The only reason flash still exists is because of Youtube and Google'd never use MS Silverlight even knowing is 10x better than flash.

Go away, arsonistic troll.

MFH said,

Now who uses Chrome on OSX? Steve gives you a magical browser called Safari, it's how he intends the internet to be experienced… ^^
And Steve Ballmer gives you Internet Explorer, it's how he intends the internet to be experienced.

MS Lose32 said,
And Steve Ballmer gives you Internet Explorer, it's how he intends the internet to be experienced.

And that's what us real fanboys use

MS Lose32 said,
And Steve Ballmer gives you Internet Explorer, it's how he intends the internet to be experienced.

And Ballmer's command we will follow^^

Don't worry, Microsoft supports something very similar via Silverlight (even lets you write your own shaders via HLSL, which is their complaint against WebGL)

The_Decryptor said,
Don't worry, Microsoft supports something very similar via Silverlight (even lets you write your own shaders via HLSL, which is their complaint against WebGL)

Maybe that's why they don't want to support the standard. They already have their own solution. Why support others'?

Tom W said,
I fear they'll get left behind once again by ignoring WebGL.

Honestly I'd rather be "left behind" than getting a security problem due to an unsafe standard…

The_Decryptor said,
Don't worry, Microsoft supports something very similar via Silverlight (even lets you write your own shaders via HLSL, which is their complaint against WebGL)

Silverlight for web is dead and buried, no one using it (apart from Microsoft) so it is no answer.

alexalex said,

Silverlight for web is dead and buried, no one using it (apart from Microsoft) so it is no answer.

It is an answer since writing something like your own shaders isn't something every web dev is going to even do anyways, it's something limited that is a niche at best.

alexalex said,

Silverlight for web is dead and buried, no one using it (apart from Microsoft) so it is no answer.

Come back after trying to watch Netflix instant queue on a linux box and try to toss that argument around.

alexalex said,

Silverlight for web is dead and buried, no one using it (apart from Microsoft) so it is no answer.

I thought Netflix used Silverlight as well as many other media portals/sites.

alexalex said,
Silverlight for web is dead and buried, no one using it (apart from Microsoft) so it is no answer.

I guess Netflix, recently the majority of all internet traffic in America, is a nobody.

Solid Knight said,

I guess Netflix, recently the majority of all internet traffic in America, is a nobody.

Yes, it is nobody for 99% of earth's population. Silverlight, by Microsoft own wording was out to replace flash, so where it is now ?

alexalex said,

Yes, it is nobody for 99% of earth's population. Silverlight, by Microsoft own wording was out to replace flash, so where it is now ?


Source? Silverlight is so much more than just an alternative to Flash…

adlerhn said,

Maybe that's why they don't want to support the standard. They already have their own solution. Why support others'?

Fail. WebGL is about as standard as ActiveX.

floopydoodle said,
Fail. WebGL is about as standard as ActiveX.

Actually nothing Khronos manages is an official standard… Neither is W3C's stuff…

The_Decryptor said,

Yes, of course. Why wouldn't it be?

Ya, and Dalvik, Cocoa. Win32 are all standards too... However, none of them are not part of the W3C, and neither is WebGL.