Software giant Microsoft has ruled that the Khronos Group’s WebGL graphics technology “too dangerous” to support.
Neither has the fact that Google calls WebGL “the most powerful way to add 3D graphics to web pages” and encourages developers to “experiment with graphics programming.”
Of course Microsoft is not against the software because the big cheeses at the Mozzarella Foundation claim that it is ideal for “interactive 3D games, vivid graphics and new visual experiences for the Web”.
Vole makes the claims on the official bog of the Microsoft Security Response Center (MSRC) and signed by MSRC Engineering. It was posted by swiat, which is short for Secure Windows Initiative Attack Team, the group that is responsible for the security architecture of Windows and other Microsoft products, that the ruling follows two reports from Context Information Security.
These state that there are serious design flaws and security problems in WebGL making it a doddle to steal user data through a web browser.
Microsoft said that its analysis concluded Microsoft products supporting WebGL would have a tough time passing Microsoft’s Security Development Lifecycle requirements.
It thinks that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities and in its current form, it can’t endorse WebGL’s security.
Basically the problem is that WebGL tells the world how the person’s hardware works in a way Vole considers more permissive than a French bordello for the morally challenged.
Vole said that Graphics drivers can’t be depended on to uphold security guarantees, and there’s no workable security servicing model for video card drivers.
Microsoft thinks that WebGL enables denial-of-service scenarios that would make it “possible for any web site to freeze or reboot systems at will.”
Khronos Group has been downplaying security concerns, although it did point out that browser vendors are still working toward passing a WebGL conformance suite.
Some of the problems that Vole is banging on about are allegedly due to a bug in Firefox, and has been fixed in Firefox 5.
Google spokesperson said the company doesn’t see WebGL as a significant threat to its users.
There are a lot of frightening things in the world, such as bears, great white sharks and Justin Bieber, so what is a security flaw, he didn’t say.
He did say that parts of the WebGL stack, including the GPU process, “run in separate processes and are sandboxed in Chrome to help prevent various kinds of attacks.”