Vulnerabilities / Threats
5/12/2011
03:54 PM
50%
50%

Graphics Cards Face Internet-Borne Threats

The WebGL 3-D graphics specification implemented in Firefox and Chrome, and included in Safari, is subject to denial of service attacks.

Recommended Reading:
-- Hackers Subvert Google Chrome Sandbox
-- Google Chrome 9 Brings WebGL

Is your graphics card driver an Internet attack vector?

Apparently so, as Context, a British security consultancy, released a security bulletin this week warning that the Web Graphics Library (WebGL) is vulnerable to denial of service (DoS) attacks and cross-domain image theft.

WebGL is a specification that allows Web browsers to use OpenGL--a 3-D, hardware-accelerated graphics API--with HTML5. WebGL is built into Firefox 4 and Chrome, and included with--but not enabled by default--in Safari. Many people see WebGL as a potential open source replacement for Flash, with some added benefits. Notably, WebGL is based on markup language, which means that unlike Flash, WebGL content can be indexed by search engines.

But WebGL can be compromised--causing graphics cards to lock up or execute arbitrary code--if it's fed overly complex shading or rendering requests, or infinite-loop requests, according to Context. "It is easy to trivialize client denial of service attacks when the only affected component is the browser process--there are numerous ways of doing this already--however in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Context said.

Results of a denial of service attack against WebGL include everything from making a computer unavailable to actually exploiting the machine. Context, however, declined to release related attack code.

Interestingly, the WebGL documentation itself contains a warning that the specification is subject to denial of service attacks: "It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render," in effect shutting down the graphics card.

Likewise, the specification suggests a number of ways in which such attacks might be blocked, but punts solving the problem until later. "The supporting infrastructure at the OS and graphics API layer is expected to improve over time, which is why the exact nature of these safeguards is not specified," it reads.

In response to Context's security warning, the Khronos Group, which is the open standards consortium in charge of maintaining the WebGL specification, said that it's already developed a WebGL extension called GL_ARB_robustness, "specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content."

Khronos also is considering further measures, such as securing cross-domain images. "The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability," it said.

According to Context, the GL_ARB_robustness extension, which would be included by a graphics hardware manufacturer on their chips, "seems that it would at least mitigate the direct DoS condition where the whole machine becomes unresponsive or crashes." But the extension would also require manufacturers to detect when machines lock up, and then react. That means that a graphics card could still lock up or at least interrupt users.

As a result, "we do not believe it addresses the wider issue," according to a blog post from Context. "The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code."

Accordingly, Context recommends disabling WebGL until there's a fix. The SANS Storm Center offers instructions for deactivating WebGL in both Firefox and Chrome.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.