Chrome and Firefox users warned to turn off WebGL
Firefox and Chrome users are being warned to turn off a 3D rendering tool in their browsers following “significant” security problems.
Part of the HTML5 Canvas functionality, WebGL is a rendering engine that allows 3D images and animations without plugins. It is used in the latest versions of Chrome and Firefox, as well as the newest builds of Safari.
Security firm Context warned that the specification is “inherently insecure”.
“The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted,” says Michael Jordon, research and development Manager at Context.
“While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross-domain security principle to denial-of-service attacks, potentially leading to full exploitation of a user’s machine.”
Those concerns with WebGL have been backed by the US Computer Emergency Readiness Team (CERT), the federal government’s cybersecurity advisor. US CERT warned that WebGL contains “multiple significant security issues”, and advised users to turn it off.
“The impact of these issues includes arbitrary code execution, denial-of-service, and cross-domain attacks,” US CERT said, warning users to “disable WebGL to help mitigate the risks”.
How to turn off WebGL
Here’s how to turn off WebGL (thanks to TechDows for the instructions).
- right click on the Chrome shortcut
- click properties
- type -disable-webgl into the target field after the Chrome.exe line (…chrome.exe -disable-webgl)
- click apply
How to turn off WebGL in Firefox 4:
- type “about:config” into the address bar
- agree to the “here be dragons” warning message
- type “webgl” into the Filter field
- double click “webgl.disable” so the value changes to “true”
- retstart the browser
We’re still waiting on confirmation from Google and Mozilla on whether disabling WebGL in these ways will be sufficient protection.