Vulnerabilities / Threats
5/12/2011
03:54 PM
50%
50%

Graphics Cards Face Internet-Borne Threats

The WebGL 3-D graphics specification implemented in Firefox and Chrome, and included in Safari, is subject to denial of service attacks.

Recommended Reading:
-- Hackers Subvert Google Chrome Sandbox
-- Google Chrome 9 Brings WebGL

Is your graphics card driver an Internet attack vector?

Apparently so, as Context, a British security consultancy, released a security bulletin this week warning that the Web Graphics Library (WebGL) is vulnerable to denial of service (DoS) attacks and cross-domain image theft.

WebGL is a specification that allows Web browsers to use OpenGL--a 3-D, hardware-accelerated graphics API--with HTML5. WebGL is built into Firefox 4 and Chrome, and included with--but not enabled by default--in Safari. Many people see WebGL as a potential open source replacement for Flash, with some added benefits. Notably, WebGL is based on markup language, which means that unlike Flash, WebGL content can be indexed by search engines.

But WebGL can be compromised--causing graphics cards to lock up or execute arbitrary code--if it's fed overly complex shading or rendering requests, or infinite-loop requests, according to Context. "It is easy to trivialize client denial of service attacks when the only affected component is the browser process--there are numerous ways of doing this already--however in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Context said.

Results of a denial of service attack against WebGL include everything from making a computer unavailable to actually exploiting the machine. Context, however, declined to release related attack code.

Interestingly, the WebGL documentation itself contains a warning that the specification is subject to denial of service attacks: "It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render," in effect shutting down the graphics card.

Likewise, the specification suggests a number of ways in which such attacks might be blocked, but punts solving the problem until later. "The supporting infrastructure at the OS and graphics API layer is expected to improve over time, which is why the exact nature of these safeguards is not specified," it reads.

In response to Context's security warning, the Khronos Group, which is the open standards consortium in charge of maintaining the WebGL specification, said that it's already developed a WebGL extension called GL_ARB_robustness, "specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content."

Khronos also is considering further measures, such as securing cross-domain images. "The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability," it said.

According to Context, the GL_ARB_robustness extension, which would be included by a graphics hardware manufacturer on their chips, "seems that it would at least mitigate the direct DoS condition where the whole machine becomes unresponsive or crashes." But the extension would also require manufacturers to detect when machines lock up, and then react. That means that a graphics card could still lock up or at least interrupt users.

As a result, "we do not believe it addresses the wider issue," according to a blog post from Context. "The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code."

Accordingly, Context recommends disabling WebGL until there's a fix. The SANS Storm Center offers instructions for deactivating WebGL in both Firefox and Chrome.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.