Vulnerabilities / Threats
5/12/2011
03:54 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Graphics Cards Face Internet-Borne Threats

The WebGL 3-D graphics specification implemented in Firefox and Chrome, and included in Safari, is subject to denial of service attacks.

Recommended Reading:
-- Hackers Subvert Google Chrome Sandbox
-- Google Chrome 9 Brings WebGL

Is your graphics card driver an Internet attack vector?

Apparently so, as Context, a British security consultancy, released a security bulletin this week warning that the Web Graphics Library (WebGL) is vulnerable to denial of service (DoS) attacks and cross-domain image theft.

WebGL is a specification that allows Web browsers to use OpenGL--a 3-D, hardware-accelerated graphics API--with HTML5. WebGL is built into Firefox 4 and Chrome, and included with--but not enabled by default--in Safari. Many people see WebGL as a potential open source replacement for Flash, with some added benefits. Notably, WebGL is based on markup language, which means that unlike Flash, WebGL content can be indexed by search engines.

But WebGL can be compromised--causing graphics cards to lock up or execute arbitrary code--if it's fed overly complex shading or rendering requests, or infinite-loop requests, according to Context. "It is easy to trivialize client denial of service attacks when the only affected component is the browser process--there are numerous ways of doing this already--however in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Context said.

Results of a denial of service attack against WebGL include everything from making a computer unavailable to actually exploiting the machine. Context, however, declined to release related attack code.

Interestingly, the WebGL documentation itself contains a warning that the specification is subject to denial of service attacks: "It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render," in effect shutting down the graphics card.

Likewise, the specification suggests a number of ways in which such attacks might be blocked, but punts solving the problem until later. "The supporting infrastructure at the OS and graphics API layer is expected to improve over time, which is why the exact nature of these safeguards is not specified," it reads.

In response to Context's security warning, the Khronos Group, which is the open standards consortium in charge of maintaining the WebGL specification, said that it's already developed a WebGL extension called GL_ARB_robustness, "specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content."

Khronos also is considering further measures, such as securing cross-domain images. "The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability," it said.

According to Context, the GL_ARB_robustness extension, which would be included by a graphics hardware manufacturer on their chips, "seems that it would at least mitigate the direct DoS condition where the whole machine becomes unresponsive or crashes." But the extension would also require manufacturers to detect when machines lock up, and then react. That means that a graphics card could still lock up or at least interrupt users.

As a result, "we do not believe it addresses the wider issue," according to a blog post from Context. "The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code."

Accordingly, Context recommends disabling WebGL until there's a fix. The SANS Storm Center offers instructions for deactivating WebGL in both Firefox and Chrome.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web