Microsoft abandons WebGL plans due to security concerns

If you were counting on WebGL support in upcoming versions of Internet Explorer, you're out of luck for now. Microsoft made the decision to not support WebGL in its current form due to serious security concerns. WebGL, an emerging graphics API from the Khronos Group, is supported and enabled by default in Firefox and Chrome, can be turned on in Safari, and available in an experimental build of Opera.

In a blog post on Microsoft's Security Research and Defense blog, Microsoft identified three key issues that prevent products containing WebGL from passing Microsoft's Security Development Lifecycle requirements. These concerns were similar to those raised last month by Context Information Security.

  • The implementation of browsers supporting WebGL depends on drivers provided by the manufacturers of graphics hardware. Turing-complete code is fed directly to these drivers, which can trigger an attack on the GPU if attackers exploit the drivers, which reside on the kernel level.
  • Security issues that are identified in WebGL have to be delivered by the various OEM and system components manufacturers. Coordinating a vulnerability fix from various third parties is difficult, in comparison to a single effective security-servicing model such as Windows Update or built-in updating mechanisms provided by browsers. Blocking vulnerable configurations is also not an option as according to Microsoft, users may choose to remove the block and stick with a vulnerable setup.
  • There are security mechanisms in modern processors and in software to stop attacks on the system. However, no such consideration is made yet for graphics processors. Thus, it can be a trivial task for sites to trigger system freezes or reboots at will simply by compromising GPUs.

Image Credit: Context Information Security

Update: Firefox 5 will have WebGL disabled by default, according to this Mozilla Security post.

Report a problem with article
Previous Story

Rumor: What is Facebook's Project Spartan?

Next Story

Rumor: Apple to hold off MacBook Air release

73 Comments

View more comments

Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

Gaara sama said,
Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

If there's a security issue with it, how exactly is that Microsoft's fault when it's designed by somebody else?

Gaara sama said,
But MS allow the 3 party of software to be use on IE so is M$ fault

Riiiiiight, so Microsoft should disallow anyone from developing software now? So they're wrong if they make it insecure, and they're wrong if they try to make it more secure, and they're wrong even if they didn't write the software in question. Makes perfect sense. Extra points for the dollar sign by the way.

Microsoft abandons WebGL plans due to security concerns? here we go again Microsft always when they can't do something right?

But MS allow the 3 party of software to be use on IE so is M$ fault

Hey, listen to yourself buddy. Its Microsoft's fault for not including flawed software, but it is also Microsoft's fault for trying to use WebGl in the first place? That doesn't make any sense.

Then why is Flash supported.. It has tons of security flaws.. If anyone here thinks that Silverlight5 has no security issues. Please.. All Microsoft is doing here is spreading FUD!

Flash is supported because a ton of sites actually use it. Silverlight is supported because Microsoft built the thing and its their browser. Don't like it then don't use it, easy.

I don't know about you, but I never seen anything WebGL on the internet. So, kill it for the same of de-bloating modern browsers.

Udedenkz said,
I don't know about you, but I never seen anything WebGL on the internet. So, kill it for the same of de-bloating modern browsers.

http://nitrous.labs.autodesk.com
what about this? using WebGL to view your 3D models online, without using any specialized software/viewer, just your WebGL enabled browser.

So, what's the difference between WebGL and a normal Direct3D app?

User mode App --> User mode D3D --> Kernel mode drivers

It would seem that MS fears the development of OpenGL drivers in all platforms. Or maybe this has something to do with the recent MS workers upset with silverlight possibly having no future?

Don't get me wrong, it is my opinion that D3D API is much superior to OpenGL's, but blaming this on security is just wrong... It would be IE's job to upload the WebGL commands upstream, so it could very well check for buffer bounds and so on... I guess next microsoft will stop developing windows because it's possible a end user might use it for deleting someone's files.

hmmm...

Kam1kaz3 said,
So, what's the difference between WebGL and a normal Direct3D app?

User mode App --> User mode D3D --> Kernel mode drivers

It would seem that MS fears the development of OpenGL drivers in all platforms. Or maybe this has something to do with the recent MS workers upset with silverlight possibly having no future?

Don't get me wrong, it is my opinion that D3D API is much superior to OpenGL's, but blaming this on security is just wrong... It would be IE's job to upload the WebGL commands upstream, so it could very well check for buffer bounds and so on... I guess next microsoft will stop developing windows because it's possible a end user might use it for deleting someone's files.

hmmm...

a normal direct3d app isn't loaded by a webpage without the user knowing something. And denying the problems that are in WebGL (by design) is ignorant.

I agree with Microsoft's assessment that WebGL is a severe security risk. The gfx driver culture is not the culture of security.

Go decision by MS.

But the word abandons should not be used as MS never really planned to support WebGL.

Summary:

-The vast majority of people with any dev experience whatsoever approve of this move by Microsoft.

-Whiny kiddies who think they know a bit from a nibble, when they aren't lurking on 4chan and commenting YouTube videos, hate on Microsoft for it.

How is it 9/10 criticisms directed at Microsoft these days sound like they're being made by morons?

v1ewer said,
(anti)pr-ware, vapor-ware... bomb-ware... and everybody jumps on that bandwagon... but can you research b4 you post?
From the horse's mouth:
http://www.khronos.org/news/permalink/webgl-security
Facts...
Only Firefox 4 is vulnerable to the WebGL exploit [new feature, early implementation, not bug tested in the wild], and Mozilla already fixed this bug in FF 5 beta:
http://learningwebgl.com/blog/
Chrome natively enabled WebGL extensions since ver 9.
But has any1 heard of any Chrome WebGL exploit/vulnerability/bug/etc?
That's right... you haven't, because Chrome [still] has the reputation of the unhackable browser. ;-)
http://gadgetwise.blogs.nytime...08/chrome-browser-unhacked/
So M$ is blowing smoke [jealous much?], trying to scare every1 silly, over what? Loading cr@p into the GPU buffer [and that only *if* the drivers are buggy? say whaaat?] to freeze the computer, used as an exploit, to what gain? [now read that word again to make sure you got its meaning straight: e-x-p-l-o-i-t ] Any1 heard of something sillier?
http://www.thefreedictionary.com/exploit
You go, Micro$oft! {lol}

So me shoving my shader code bits directly through your GPU is a good idea? Let alone all the other holes that are inherent in OpenGL as it was NOT designed to be at the forefront of controlling or constraining security.

If WebGL becomes popular it will make ActiveX look like a ripple in the security nightmares of computing history.

Microsoft DESIGNED the GPU technology in use on EVERY freaking computer, and wrote the shader code language back in the late 90s that has been adopted by NVidia and OpenGL outside of DirectX HLSL.

Do you really think they don't know what it is like to be hit by security holes and do you really think they don't understand GPU technologies?

The Original XBox GPU and the XBox 360 GPU were designed by MICROSOFT hardware engineers, and are the architectural basis for the VS/PS generation and the current unified shader GPUs EVERYONE USES and is in use in every computer, and most portable devices.

If Microsoft says there is a an issue, as anyone with a brain should understand by giving direct GPU access to web sites, then there is a problem. One proof of concept 'fixed' is just a 'proof of concept'.

thenetavenger said,
So me shoving my shader code bits directly through your GPU is a good idea? Let alone all the other holes that are inherent in OpenGL as it was NOT designed to be at the forefront of controlling or constraining security.

If WebGL becomes popular it will make ActiveX look like a ripple in the security nightmares of computing history.

Microsoft DESIGNED the GPU technology in use on EVERY freaking computer, and wrote the shader code language back in the late 90s that has been adopted by NVidia and OpenGL outside of DirectX HLSL.

Do you really think they don't know what it is like to be hit by security holes and do you really think they don't understand GPU technologies?

The Original XBox GPU and the XBox 360 GPU were designed by MICROSOFT hardware engineers, and are the architectural basis for the VS/PS generation and the current unified shader GPUs EVERYONE USES and is in use in every computer, and most portable devices.

If Microsoft says there is a an issue, as anyone with a brain should understand by giving direct GPU access to web sites, then there is a problem. One proof of concept 'fixed' is just a 'proof of concept'.

Insults, nonsense and biased opinions do not solve problems, research by professionals does (peer review, much?). ;-)
And why even mention ActiveX? What does *that* have to do with accessing the GPU hardware layer? ActiveX is, errr... was an API, ergo software layer:
http://www.google.com/search?tbs=dfn%3A1&q=Activex
and a sorry implementation of untested proprietary code, in trying to monopolize the "bundled" browser market (which years later they lost, in both market share and in courts), and chock-full of vulnerabilities. Took M$ way too many years to realize it can't be fixed, so they finally realized was about time to ditch it.
Please see the opinion of a professional directly involved in the development of the implementation of WebGL into Firefox, who works for the Mozilla Foundation:
http://en.wikipedia.org/wiki/Talk:WebGL#Security
What we need is wait for all involved parties' rebuttal to Context's blog, in order to draw a conclusion.
HTH [Hope This Helps]

Surprise Surprise. Next Microsoft will release their own proprietary WebDirectX lol. History repeats itself once again.

Flawed said,
Surprise Surprise. Next Microsoft will release their own proprietary WebDirectX lol. History repeats itself once again.

Exactly, but the technology they are pushing is called HTML5 and other W3C standards.

Just becaue Google and others won't redesign their browsers to render web content as fast as IE9 can, we are just supposed to accept this and adopt a technology that has direct hardware access?

Really?

thenetavenger said,

Exactly, but the technology they are pushing is called HTML5 and other W3C standards.

Just becaue Google and others won't redesign their browsers to render web content as fast as IE9 can, we are just supposed to accept this and adopt a technology that has direct hardware access?

Really?


IE9 does 2D composition in hardware, not 3D acceleration.

What Microsoft is saying, is exactly what security experts have petitioned more information about and tried to get some controls on securing WebGL from hardware, all with a non-response from the WebGL khronos group.

Shader code and other other portions of OpenGL that WebGL opens up are NOT managed or secured in anyway. It was NOT designed with any security considerations, in a way to deal with security, nor should it be, as OpenGL is a hardware access API layer.

The answer is not to use WebGL, but instead to use a higher 'manged' technology that uses OpenGL or DirectX. This creates a broker of security between the hardware, as the Internet should never have 'secure to hardware' or local access security.

For example, HTML5, CSS3, SVG, or other higher level access methods that are both 'brokered' from the hardware, but as Microsoft has DEMONSTRATED with IE9, can be accelerated to OpenGL speeds.

Because people are too stupid to realize that direct access to a GPU and VRAM is just as dangerous to a CPU and system RAM, does not mitigate the threat WebGL could cause. If you really want any web site to have unfettered access to your GPU, you will get what you deserve.

Microsoft is not the first people to shout from the roof tops how freaking dangerous this is, and Microsoft was even trying to find a way to 'contain' WebGL, but due to the nature of 'shader code' alone, it is not feasible.

This is not about Microsoft wanting to control anything, this is about Microsoft telling the world that they learned their lesson with ActiveX and they do not want to see the rest of the world repeat the same insanity.

If people use WebGL and it gets any 'grip' on marketshare, it will make the ActiveX days of exploits and attacks look like childs play.


There is a way to achieve what WebGL is doing through secure methods. The first good example is any of the complex graphical HTML5/CSS3 examples at IETestDrive, as they show that IE9 can run this 'higher' level page language at OpenGL speeds. (This is why IE9 is 10-1000x faster than Chrome, Firefox, etc depending on the CPU speed in the test machine, as IE9 does slip all this rendering to the GPU without compromising security.)

Go look up WP7 Mango with IE9 running GPU accelerated running tests like these faster than native OpenGL ES applications on Android or iOS.

As we move to a mobile world, doing more on the GPU as IE9 is demonstrating is exactly what the world needs to be doing, and not offering up our GPUs up to a direct access from external sources.


Microsoft has other technology that they could be shoving if it was their intent on 'control', for example, XNA is a managed technology that could be modified to do what WebGL is doing, and in a very safe way of keeping the GPU out of the hands of web sites and hackers.

However, they are not shoving XNA here, they are instead wanting to use the W3C standards, like everyone has complained that they didn't do properly in the past.

And yet this is now not good enough for people, as they want Microsoft to adopt a BAD concept for direct GPU access with no security.

It is this simple, Microsoft is running graphics in IE9 as fast as Chrome and others are running WebGL, which is how and why Google did their 'response to Microsoft Fish' by using WebGL.

Instead of using 'tricks' to get the speed, Google and others should be moving their browser engine from an internet display application to more of a compiler and rendering engine like IE9 works.

Unlike Chrome and Firefox, IE9 breaks all aspects of HTTP and web content apart, tries to compile what it can and also shoves what it can to the GPU for rendering. This is more of a compiler technology than a 'display application', which for some reason the world doesn't seem to fully 'get' yet, and in a year or two when IE is crushing the competition when running RIA and web graphics using the W3C standards, everyone will be surprised.

Why do people completely 'miss' the technologies that Microsoft does create and then get 'surprised' when they are finally realized or used in products?

PS: Microsoft does know GPUs better than people think, as they designed the VS/PS GPU design and the shader code and shader language that came from that time, and was used in every GPU made from 2002 to 2006. Microsoft also designed the Unified shader GPU technology that is used in every computer today. (So if they say this is a security concern, we should listen, as all our GPUs we are using are based on Microsoft technolgy and Microsoft hardware designs.)

Commenting is disabled on this article.