Last week, Context researcher James Forshaw identified a vulnerability in WebGL that allows an attack to inject malicious code via the web browser, enabling attacks on the graphics processing unit and graphics driver.
In response, Khronos said it has “specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content” and that it was "considering requiring cross-origin resource sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability."
Forshaw responded that the Khronos fix does not address the wider security issue.
“The resetting of the graphics card and driver should be seen as a crutch to OS stability when exceptional conditions occur and not as a mechanism to protect users from malicious code. Resetting the graphics card isn’t guaranteed to be a trouble free operation; all other users of the graphics subsystem will need to correctly handle the event. The graphics stack would have to ensure that any hardware resources are recreated before use to guard against another application misusing it. This operation, while not causing a [denial of service] directly, could still indirectly affect the entire system and the applications running on it.”
Forshaw added, “That does not seem a great way of fixing it.”
The Context researcher reiterated his previous recommendation that WebGL be disabled in the short term. In the longer term, “we would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis”, he added.