Vulnerabilities / Threats
5/12/2011
03:54 PM
50%
50%

Graphics Cards Face Internet-Borne Threats

The WebGL 3-D graphics specification implemented in Firefox and Chrome, and included in Safari, is subject to denial of service attacks.

Recommended Reading:
-- Hackers Subvert Google Chrome Sandbox
-- Google Chrome 9 Brings WebGL

Is your graphics card driver an Internet attack vector?

Apparently so, as Context, a British security consultancy, released a security bulletin this week warning that the Web Graphics Library (WebGL) is vulnerable to denial of service (DoS) attacks and cross-domain image theft.

WebGL is a specification that allows Web browsers to use OpenGL--a 3-D, hardware-accelerated graphics API--with HTML5. WebGL is built into Firefox 4 and Chrome, and included with--but not enabled by default--in Safari. Many people see WebGL as a potential open source replacement for Flash, with some added benefits. Notably, WebGL is based on markup language, which means that unlike Flash, WebGL content can be indexed by search engines.

But WebGL can be compromised--causing graphics cards to lock up or execute arbitrary code--if it's fed overly complex shading or rendering requests, or infinite-loop requests, according to Context. "It is easy to trivialize client denial of service attacks when the only affected component is the browser process--there are numerous ways of doing this already--however in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Context said.

Results of a denial of service attack against WebGL include everything from making a computer unavailable to actually exploiting the machine. Context, however, declined to release related attack code.

Interestingly, the WebGL documentation itself contains a warning that the specification is subject to denial of service attacks: "It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render," in effect shutting down the graphics card.

Likewise, the specification suggests a number of ways in which such attacks might be blocked, but punts solving the problem until later. "The supporting infrastructure at the OS and graphics API layer is expected to improve over time, which is why the exact nature of these safeguards is not specified," it reads.

In response to Context's security warning, the Khronos Group, which is the open standards consortium in charge of maintaining the WebGL specification, said that it's already developed a WebGL extension called GL_ARB_robustness, "specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content."

Khronos also is considering further measures, such as securing cross-domain images. "The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability," it said.

According to Context, the GL_ARB_robustness extension, which would be included by a graphics hardware manufacturer on their chips, "seems that it would at least mitigate the direct DoS condition where the whole machine becomes unresponsive or crashes." But the extension would also require manufacturers to detect when machines lock up, and then react. That means that a graphics card could still lock up or at least interrupt users.

As a result, "we do not believe it addresses the wider issue," according to a blog post from Context. "The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code."

Accordingly, Context recommends disabling WebGL until there's a fix. The SANS Storm Center offers instructions for deactivating WebGL in both Firefox and Chrome.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.