updated 03:25 pm EDT, Tue May 10, 2011
Standard blasted by security researchers
Security research firm Context has issued a report criticizing WebGL, the 3D graphics standard used in popular browsers such as Firefox, Chrome and Safari. The report points to several serious vulnerabilities that are said to leave systems open to attacks. Experimental exploits reportedly used malicious code to gain access to a computer's core operating system.
These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design," Context's James Forshaw wrote in a blog post. "Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode)."
Forshaw suggests that WebGL is not "ready for mass usage," and users should consider disabling the standard in browsers. The research firm points out that Firefox 4 and Chrome enable WebGL by default, while Safari leaves it as an option that can be turned on if needed.
The Khronos Group, an industry consortium that oversees WebGL development, responded to Context's criticisms, claiming that the standard had already been improved to protect against some of the vulnerabilities. The group placed part of the blame on graphics card manufacturers for not releasing updated drivers to help protect systems.