Vulnerabilities / Threats

5/12/2011
03:54 PM
50%
50%

Graphics Cards Face Internet-Borne Threats

The WebGL 3-D graphics specification implemented in Firefox and Chrome, and included in Safari, is subject to denial of service attacks.

Recommended Reading:
-- Hackers Subvert Google Chrome Sandbox
-- Google Chrome 9 Brings WebGL

Is your graphics card driver an Internet attack vector?

Apparently so, as Context, a British security consultancy, released a security bulletin this week warning that the Web Graphics Library (WebGL) is vulnerable to denial of service (DoS) attacks and cross-domain image theft.

WebGL is a specification that allows Web browsers to use OpenGL--a 3-D, hardware-accelerated graphics API--with HTML5. WebGL is built into Firefox 4 and Chrome, and included with--but not enabled by default--in Safari. Many people see WebGL as a potential open source replacement for Flash, with some added benefits. Notably, WebGL is based on markup language, which means that unlike Flash, WebGL content can be indexed by search engines.

But WebGL can be compromised--causing graphics cards to lock up or execute arbitrary code--if it's fed overly complex shading or rendering requests, or infinite-loop requests, according to Context. "It is easy to trivialize client denial of service attacks when the only affected component is the browser process--there are numerous ways of doing this already--however in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Context said.

Results of a denial of service attack against WebGL include everything from making a computer unavailable to actually exploiting the machine. Context, however, declined to release related attack code.

Interestingly, the WebGL documentation itself contains a warning that the specification is subject to denial of service attacks: "It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render," in effect shutting down the graphics card.

Likewise, the specification suggests a number of ways in which such attacks might be blocked, but punts solving the problem until later. "The supporting infrastructure at the OS and graphics API layer is expected to improve over time, which is why the exact nature of these safeguards is not specified," it reads.

In response to Context's security warning, the Khronos Group, which is the open standards consortium in charge of maintaining the WebGL specification, said that it's already developed a WebGL extension called GL_ARB_robustness, "specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content."

Khronos also is considering further measures, such as securing cross-domain images. "The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability," it said.

According to Context, the GL_ARB_robustness extension, which would be included by a graphics hardware manufacturer on their chips, "seems that it would at least mitigate the direct DoS condition where the whole machine becomes unresponsive or crashes." But the extension would also require manufacturers to detect when machines lock up, and then react. That means that a graphics card could still lock up or at least interrupt users.

As a result, "we do not believe it addresses the wider issue," according to a blog post from Context. "The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code."

Accordingly, Context recommends disabling WebGL until there's a fix. The SANS Storm Center offers instructions for deactivating WebGL in both Firefox and Chrome.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11487
PUBLISHED: 2018-05-26
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.
CVE-2018-11472
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
CVE-2018-11473
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
CVE-2018-11474
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.