SANS ISC: Time to disable WebGL ?

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

WebGL ? I had never heard of WebGL before and I'm sure quite a few among our readers are in the same boat. Yet it is implemented in Firefox 4 and Chrome and Safari browsers and apparently even turned on by default in Firefox 4 and Chrome. Yet, there's something wrong with its security.

So what is WebGL?

It's a way to let components on webpages display 3D models using the full power of the graphics card in the computer. Effectively this exposes some portions of the graphics card's software via the browser to the Internet. 

US-CERT recommends to turn off WebGL in the browsers that do support it (Firefox 4, Chrome, Safari (not enabled by default))

I've looked on my mac how to enable/disable WebGL in Firefox 4, Chrome and Safari, but have been unsuccessful so far as to find even a mention of WebGL in any of them [to be continued...].

References and far more detail:

• http://www.contextis.com/resources/blog/webgl/
• http://www.us-cert.gov/current/index.html#web_users_warned_to_turn
• http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/
• http://www.khronos.org/news/permalink/webgl-security

Thanks go to James for the heads-up.

--
Swa Frantzen -- Section 66