Microsoft says WebGL standard is 'harmful'

Says exposing buggy video drivers to the web is a bad idea
Author:
Publish date:
3_webgl184.jpg

Microsoft said that emerging web-3D graphics standard WebGL was too insecure for the firm to consider supporting in applications like Internet Explorer 9.

In a blog post entitled 'WebGL Considered Harmful' on the software giant's Security Research and Defence blog, Microsoft's MSRC engineering team said "Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive."

Microsoft's chief objection is that the 3D web standard would allow hackers to attack graphics drivers in ways which the browser could not mitigate. Independent security outfit Context also identified a number of WebGL security flaws.

Currently Firefox and Chrome both support WebGL but Context said the browser's supporting the standard "have had to expose low level parts of their operating systems which previously could not be directly accessed by potentially malicious web pages."

WebGL stewards Khronos moved to downplay the criticism, saying "all browser vendors are still working toward passing the WebGL conformance suite," effectively blaming security problems on browser implementations.

However Microsoft's refusal to endorse the standard bodes ill for the format achieving universal support.

"We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities," Microsoft said. "In its current form, WebGL is not a technology Microsoft can endorse from a security perspective," they concluded.

Related