Microsoft says to turn OpenGL off -- Security Risk

US-CERT Current Activity

I'm not going to turn it off but in case anyone wanted to know.

 

disable webgl in firefox 4.0.1:

Type about:config in the address bar. And toggle the webgl.disabled variable to true.

disable webgl in chrome:

add the --disable-webgl argument on the command line (chrome.exe)

verify it is off by clicking Spinning WebGL Box - if you see a rectangle it is off, if you see a spinning cube it is on.

I find it amusing that by my own 'comfort' thing and being unwilling to update to ff4 right away, I was protected against these kinds of 0days until they can be properly patched (still running ff3.6).

 

aw puppy!

Also, this really doesn't seem like a huge deal to me. There are already measures being taken to secure ogl

 

the fun thing is, if someone exploits webgl (which will happen), they are at driver level, means they can do ANYTHING. from bluescreening the os to installing what ever they want.

it'll be fun after all the sandboxing, they get direct access to one of the most insecure driver environments that ever existed: the graphics driver.

 

Now becomes clear why IE9 didn't include webgl and that ms is going to make sure it never does. Chrome and FF new feature (that many brag about but I still find it almost useless) is recommended to be turned off.

 

They'll just implement it in ie10, and forget to secure it while they are at it!

 

IE9 just didn't get around to it most likely. Same goes for Opera, which has a preview build that has OGL.

Not necessarily. Not all API's require kernel access etc and canvas tags are uber rare. But yeah, hopefully this gets cleaned up before it gets taken advantage of.

 

first exploit could be that all webgl renders upside down.

 

for an exploit, you only need ONE way to get in. and the rarity doesn't matter, too. you just need some funvideo that everyone has to "like" on facebook, to watch it, and you quickly exploited millions of users.

webgl (not canvas) gives you full gpu access (with shaders and all, so yes, crysis is possible with it). problem is, those things are inherently buggy, even by today. and never trimmed for security, but for speed, and compatibility with actual games (the gpu drivers). nothing else.

yes, after xp, the gpu drivers got forced into user mode for the most part, but there still are bluescreens (especially when you're developing stuff on the gpu, as then you're not a popular game the driver is made for). and each of those bluescreens is nothing else but an exploit that failed to really hurt. done right, anything's possible.

 

Does "liking" on youtube use ogl? >_>

Anyway, yes, I agree. I'm just saying that it doesn't necessarily mean you're 100% screwed in every case.

 

webgl is NEW. obviously it's not yet used much (but angrybirds for chrome uses it, for example).

and no, liking on youtube does not use opengl. but if you have facebook, you might have noted the lots of like spam that popped up recently. like this:

davepermen likes "see what this dad does to his kid! omg he should be punished for that!!" on 'omgvideos.com'

and when you click, you see a video player, and when you press play, you've "liked the video", too. and in some cases, troyaners started to install on your system.

webgl can be used on such pages easily. they can be used on pages like this one here, too (forii often have bad security and wellknown holes that one can abuse to actually manipulate the forum, and spreading stuff trough innocent sites).

 

Oh I see what you mean.

What I'm wondering is if disabling javascript will disable OGL or if most sites just use javascript for something like an "onload" before activating it. If it's an "onload" thing then disabling javascript won't help.

 

well, disabling javascript isn't much of a solution in the future anymore anyways. Or what's the last Webapplication you've used without javascript?

Btw, if the html5 video tag is hardware accelerated decoding the movie, then that could be fed with something that exploits that part of hardware, and be another target.

there where jpeg exploits before, gif exploits, pdf exploits, etc etc..

the more power the web gets, the more ways to exploit it, it gets. each new file format allows new abuse. so does each new library. now having a library that accesses hardware directly is dangerous. our operating systems are not prepared for security at that place. none is.

 

Yes, there are a lot of security issues with GPU acceleration. I've seen quite a few patched in Chrome.

 

problem is, with gpu acceleration, you get a third partner.

till now, you had to care about microsoft, and google doing it's thing right. and you know that both have a lot of knowledge about security (sometimes learned the hard way).

but with gpu acceleration, you get a third partner: nvidia, ati-amd, or intel. and at least two of those have one main focus: that games run well, and fast. security is NOT the focus, not even stability is (just for the popular games. once you go outside that path, forget about stability).

gpu vendors are the WORST in security and stability. and with webgl, the whole web gets access to it.

that is a security issue. and not a small one, indeed.



if google would go the correct way (even if rather impossible), it would bundle gpu drivers with chrome, just as it did with flash. you can think about gpu drivers as being the same, as flash is. 3rd party that is not under control from os and browser provider.

 

Well, we've never really seen GPU vendors when it comes to security. You've never had to worry about a game that you get directly from a vendor installing a virus. It's just never come up.

But now that GPU is being used more and more for every day programs there's definitely an issue and hopefully the vendors will step up and implement the security features that OGL has already created.

Google's posted about GPU drivers and how people need to keep them up to date for Chrome to work properly. I think it would be pretty interesting if Chrome autoupdated GPU drivers but I don't think it will happen.

 

it might give warnings about outdated drivers, and point to windows update. that would at least be a good step.

and it will update the gpu drives in the chromebooks

 

Well naturally it'll update Chrome notebook drivers haha. And yes, it would be pretty great if it could remind for driver updates. Really that should be handled by Win7.

 

normally, it does. but depending on the setups, sometimes it doesn't (f.e. people could have disabled it). anyways, it would be nice if microsoft informs the user about updates if they can, AND chrome does, when they can. 4 eyes are better than two.

 

True. Chrome has enough things to deal with as it is though. It still has to play catch-up since it's so new compared to other browser.

 

catchup? no. it got its momentum, the rest is just people being slow at adoption. there isn't much catchup in terms of browser functionality it has to provide. it's in the top leage and will most likely not be caught up by firefox any time soon, nor ie9 (as that is fixed and out now), and definitely not opera, that piece of .. fanboy thing..
the rest is just a case of waiting till the momentum got trough.

and they did that before for adobe flash. why not for graphics drivers? at least disable those who have a zero-day attack known.

 

I mostly meant in terms of their extensions API, which has barely expanded since fruition.

In my opinion Chrome is well ahead of the other browser. It's forced other browsers to change. Chrome is the reason firefox has moved to a faster release schedule, same with IE9. It's taken sandboxing, an old idea, and brought it up to date.

But the download manager, UI customizability, and extensions API are all behind. They've acknowledged this and hopefully it gets worked on.

 

actually, the extension api grew quite a bit.

i don't care about download managers, never understood their appeal. it downloads the files i want, what else do i need?

the extension api for ui changes is by design rather locked down to have a consistent look and no chance of having it outgrowing out of usability (consider the toolbars in ie, or office pre office2007).

i'm glad the extension api is not "we allow everything" like firefox. i'm glad it's mostly focused of allowing one way only per feature, and force developers for most stuff to just use the power of html5.

i have my adblock, and some other extensions. a lot that i needed extensions for is implemented by default (like browser sync). what is missing?

 

The extension API shouldn't allow everything but it has barely changed (I'm going by what the developer of adblock plus says) and still won't allow for things like noscript or adblock plus to work properly.

They're taking their time because an open API means you can add malicious code but they're really really taking their time.

The UI is being worked on. They've made a long long list of changes they hope to implement to allow customizability.